On August 12, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) posted a public alert that an unknown malicious cyber actor is actively attempting to direct individuals to a fraudulent Small Business Administration (SBA) COVID-19 Loan Relief webpage. Any visitors to the webpage are then targeted for their login credentials or for further malicious re‑direction. Phishing emails appear to be the malicious cyber actor's primary method of engagement with victims.
What Is Phishing?
Phishing is among the most successful and enduring forms of malicious cyber activity. Whereas hacking can be seen as breaking or picking the cybersecurity lock, phishing is equivalent to convincing the victim to unknowingly hand over the key. Ultimately, phishing is most often a method by which malicious actors attempt to gain sensitive information, such as an individual's workplace login credentials, personal email credentials, or sensitive financial information.
Email phishing attacks will generally impersonate a legitimate person or institution, and sophisticated phishing attacks are adept at mirroring the formatting and language of the entity they are attempting to impersonate. These attacks will often include hyperlinks to compromised webpages or malicious file attachments.
Phishing is most dangerous when it is highly targeted. In these cases, referred to as spear phishing, a malicious actor will have tailored the phishing attack specifically for the intended target. Spear phishing attacks will often try to impersonate someone you know or work with, will relate to something of topical interest, or may appear to be related to an urgent business matter.
Is This Out of The Ordinary? Why Is This Happening?
Unfortunately, phishing attacks are not uncommon, and their usage tends to spike whenever circumstances arise that increase their chance of success. Part of their appeal is that they don't require sophisticated technical knowledge to create, are inexpensive to deploy, and often target an organization's weakest cybersecurity link: people.
Until the malicious cyber actor is identified, its motives can only be speculated upon. However, malicious cyber actors are very attuned to adapting their strategies and tactics to take advantage of current events. The advent of COVID-19, the global shift to telework, and the creation of government-funded relief programs have created numerous opportunities for actions like these to flourish over the past several months. The urgency and volume of small businesses looking for financial assistance combined with hastily put together and understaffed government relief programs represent a compelling target.
Should I Be Concerned? What Can I Do?
While it is important for all organizations to take cyber threats seriously, it is an absolute imperative for organizations that deal with privileged or regulated data, or that cannot afford to have their services disrupted, their reputation damaged, or the trust of their clients breached.
For this particular malicious cyber actor, organizations should be wary of any emails or messages that attempt to direct them to an SBA COVID-19 loan relief webpage. To be safe, websites such as these should only ever be accessed directly. Furthermore, technical details and updates for this malicious cyber actor are available on CISA's alert page. Phishing attacks are unlikely to disappear, but there are numerous educational and technical approaches available to organizations of any size and industry that can mitigate the potential of being compromised by one.
If you believe you may be the victim of a phishing attack or would like more information on how to mitigate your cybersecurity risk, please contact the authors.
Venable's Cybersecurity Risk Management team is led by Ari Schwartz, a former member of the White House National Security Council, where he served as special assistant to the president and senior director for cybersecurity. The team's non-lawyer cybersecurity professionals have decades of government and private sector experience and work seamlessly with attorneys across Venable to provide comprehensive cybersecurity services to companies and high-profile individuals. They empower companies to assess risk including threats of phishing attacks, training employees to assess digital footprints for cybersecurity threats, securing the safety of client data, aiding in the creation of security policies and procedures, and providing exercises and training to test security preparedness.