Phishing with Government Bait Hooks Unwary Employees

These Clever Government Phishing Scams Can Quickly Ensnare Employees

---

Cybercriminals are constantly evolving their phishing techniques, but that doesn’t mean that they don’t like to turn to their old favorites sometimes and a classic scam is enjoying a new life right now: fake messages from supposed government entities. From unemployment-related sham emails to bogus health department surveys, cybercriminals are taking advantage of high email volumes, employee confusion and economic uncertainty to unleash a blizzard of phishing scams that mimic communications from government entities.

---

---

Pandemic Pressures Amped Up Risk

---

Phishing exploded during the pandemic and it hasn’t slowed down. More than 70% of organizations around the world experienced a phishing attack in 2020. That’s an overall increase of 42% over 2019. Some categories like ransomware experienced triple-digit growth. The advent of the pandemic marked an unprecedented increase in phishing risk in Q2 2020, with phishing threats exploding by an estimated 660% according to Google, which also reported uncovering 18 million daily malware and phishing emails in 2020. 

That epic flood of emails was launched with a wave of messages that claimed to contain important information about the virus and lockdowns, many carrying ransomware. One infamous scam involved spoofing emails from the World Health Organization. Cybercriminals were using pandemic stress and uncertainty to persuade the targets to download a map of COVID-19 transmission in their area. A similar scam used the popularity of John’s Hopkins University’s live Coronavirus COVID-19 Global Cases map to lure in victims with purported updates – but those updates were actually ransomware. The chaotic rollout of federal COVID-19 relief checks in the US also created a rich hunting ground for bad actors.

---

---

New Variants on Old Tricks Snare Employees

---

Tax scams abounded this year too. The US IRS (Internal Revenue Service) released an official warning in early to alert tax professionals about spoofing emails supposedly sent from “IRS Tax E-Filing” with the subject line “Verifying your EFIN before e-filing.” The U.S. Financial Industry Regulatory Authority (FINRA) was also forced to issue a regulatory notice in March 2021 warning brokers of an ongoing phishing campaign. Attackers using carefully faked messages based on FINRA templates with bogus but believable URLs were sending out fake compliance audit notices, spurring companies to react – and get their credentials stolen. 

Fake unemployment and benefit scams have been a cybercriminal go-to throughout the pandemic, and they’re not slowing down. With millions of Americans out of work and claiming unemployment benefits, cybercriminals have a rare opportunity to profit from the constant communication between those displaced workers and state workforce agencies. The US Department of Justice released a warning in March 2021 to warn people claiming unemployment that cybercriminals have been busy sending out bogus emails claiming to be from state and federal authorities that direct unsuspecting victims to apply for benefits or update information at phishing sites.

Another government impersonation scam is stealing personally identifiable information (PII) by telling targets that they’ve been chosen to participate in a sham survey about the COVID-19 vaccine by their state or local government. The scammers sweeten the deal by telling the victim that there’s an array of cash and prizes available for survey takers, and they need to fill in some information on a website form to prove their eligibility. Cybercriminals have churned out emails related to COVID-19 that direct people to counterfeit government landing pages throughout the global pandemic. An estimated 4,300 malicious web domains related to COVID-19 relief were registered in March 2020 alone.

---

---

Protect Your Business in Just 2 Moves

How does this flurry of faux government communication threaten your business? Employees have been increasingly interchangeably using personal and company devices to conduct business like checking email or reading a report throughout the pandemic. Approximately 70% of employees use a mix of their own personal devices and company-provided devices while working every day. Many companies adopted permissive bring-your-own-device policies with little oversight in the scramble to get everyone back to work as pandemic lockdowns shut down their offices – and that translates into employees opening personal email on devices connected to company systems, increasing risk.

BullPhish ID is the perfect fix for increased phishing risk. Through memorable phishing simulations, employees will become more aware of potential phishing scams landing in their inboxes. Trainers can choose from a library of video lessons and ready-to-use premade phishing simulation kits. Or they can craft customized content to reflect unique industry threats including URLs and attachments with online quizzes that measure retention.

Passly prevents stolen passwords from packing a lethal punch. Dynamic secure identity and access management tools like multifactor authentication and single sign-on blunt the impact of a phished password when cybercriminals try to use it to sneak into business systems and snatch important data.

The ID Agent digital risk protection platform has the strong solutions that every business needs to protect their systems and data from phishing. Contact our solutions experts today for your personalized demonstration.

---

---

---