5 Cybersecurity Trends that Will Dominate 2020

5 Phishing Predictions, 1 Pandemic: What Really Happened?

Join Aaron Higbee & Tonia Dudley as they explore how our 5 predictions for 2020 actually measured up and what you need to do to defend against new and emerging phishing threats.

By Aaron Higbee, CTO, Cofense

The threat landscape continues to evolve at a rapid pace, with new threat vectors emerging and increasing in sophistication. Which ones should you watch most closely as 2020 unfolds? Based on insights collected from our Cofense research teams, here are five trends we see dominating next year.

Ransomware will continue becoming more targeted to reap more sizeable payouts.

Many people are under the impression that ransomware is slowing down, but in reality it’s simply being used in a more targeted fashion. So many private and public organizations, as well as government entities, have been infiltrated by ransomware that we’ve become desensitized to its devastating effects.

Ransomware is very much alive, and more sophisticated actors are using it every day as a gateway into an organization’s network, once they identify crown jewels left vulnerable. One of the reasons why we’re not hearing as much about ransomware in the media is that attacks are increasingly difficult to cover. Due to cyber liability insurance policies and law enforcement involvement creating so much red tape, the real information is shrouded in secrecy and not making it into the public domain. Threat actors will continue to refine their targeting in 2020 in order to maximize their profits with organizations that don’t have an advanced security posture but do have a lot to lose.

Healthcare and genetic testing organizations will be a rich target for monetizing data.  

Healthcare organizations will always be one of the richest targets for ransomware and consumer fraud, as they provide easy access to valuable information, such as social security numbers, that can be monetized quickly. But as we look to the future, the prospect of malicious actors hacking into a database of a genetic testing company is especially disturbing. Not only would a threat actor have a detailed record of medical history and family heritage, but if the ethics of gene editing evolve further—and it’s not far off—a master log of thousands, if not millions, of peoples’ DNA is potentially available for attackers to exploit.

Cryptocurrency will find itself in the crosshairs.

The cryptocurrency industry is not widely understood, but it is on the receiving end of some of the most advanced attack methods we’ve seen to-date. Whether it’s a high-profile crypto holder or an entire cryptocurrency exchange, we’ve seen first-hand at Cofense how this realm of cyberspace is impacted by elite phishing tactics. Ultimately, the hackers look at their targets from two angles.

The first, if you’re a sole cryptocurrency holder: is your line of defense weak enough for me to hack you, log into your exchange, steal your cryptocurrency, and transfer it out? The second: is one of your employees, and it only takes one, susceptible to clicking on a phishing link so I can hack into your entire network and dig deep enough to access the cold storage vaults and pull off a heist?

The latter is far more likely, as organizations often neglect to train their employees to identify malicious emails. They mistakenly believe that more expensive, “we-promise-to-stop-it-all” technologies will thwart every attack. The reality is that the circle of trust at some organizations is so large that their employees are really the first and last line of defense against an attack.

SIM-jacking will be used to jack cryptocrurrency.

SIM-jacking is a trend that has recently emerged and will pick up speed in 2020, due to its success and the ease of implementation. Instead of wasting time trying to infiltrate the source, SIM hijackers will go to someone who works for a telecom company and pay them off to assign your phone number to another device and then use that phone number to reset your passwords and steal your cryptocurrency. In fact, one major U.S. telecom company is currently in the throes of a lawsuit following a handful of employees who helped hackers rob a customer of $1.8 million worth of cryptocurrency. It is heavily debated who exactly is at fault for SIM-jacking attacks, and while cybercriminals are obviously at fault, there are several layers to the attack that blur the lines.

Information warfare will put human intuition to the test.

In an era of fake news, information warfare is a very real consequence of social media platforms and an influx of news outlets. The public has to rely on, and decipher between, numerous news sources that offer little evidence, and much to the imagination, when it comes to the root cause of most stories.

Evidence is the key to validating any story. At Cofense, we stress the importance of conditioning people to recognize fake from real—phishing emails and other scams that target employees at work and home.

Human intuition is one of the most powerful tools in your arsenal, and it’s vital to hone it as a natural defense mechanism to combat against all types of threats, whether it’s fake news, a conspiracy theory, or a scam designed to bilk your company of its data, funds, or brand reputation.

To stay on top of phishing and malware threats in 2020, be sure to check this blog. We’ll continue to share our teams’ findings, both what we see in the wild and what evades the email gateway.



100% of malware-bearing phishing threats analyzed by the Cofense Phishing Defense Center were reported by end users. 0% were stopped by technology. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.


Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

John Podesta’s Phish Foreshadows Doom for 2020

If you haven’t read the Mueller Report, spoiler alert: the phish that netted the Clinton campaign was not sophisticated. As you may know, neither was the campaign’s phishing defense (understatement). All of which spells probable doom for the 2020 presidential candidates, despite the news that campaigns have looked at offers, some free, from cyber-security firms.

The FBI’s Global Business Email Compromise (BEC) “Wire-Wire” Bust: A Personal Perspective

Last week, the FBI announced it had busted a business email compromise (BEC) racket that raked in millions of dollars in fraudulent wire transfers secured through email-based cyberattacks. The Bureau, along with federal and overseas partners, arrested 74 people, seized over $2M, and disrupted and recovered another $14M in phony wire payments.

PhishMe is now Cofense.

On February 27th 2007, while on the phone with my friend and co-founder Rohyt Belani, I typed the name phishme.com into GoDaddy™. We couldn’t believe our good luck and immediately registered it. As the co-founder who named this company PhishMe®, the emotional attachment is real. Somewhere in the pile of entrepreneurial startup books, I have a branding book that suggested your name is a vessel that should be big enough to carry your future products and services. We outgrew that boat quite some time ago.

Bogus Claim: Google Doc Phishing Worm Student Project

According to internet sources, Eugene Pupov is not a student at Coventry University.

Since the campaign’s recent widespread launch, security experts and internet sleuths have been scouring the internet to discover the actor responsible for yesterday’s “Google Doc” phishing worm. As parties continued their investigations into the phishing scam, the name “Eugene Popov” has consistently popped up across various blogs that may be tied to this campaign.

A blog post published yesterday by endpoint security vendor Sophos featured an interesting screenshot containing a string of tweets from the @EugenePupov Twitter handle claiming the Google Docs phishing campaign was not a scam, but rather a Coventry University graduate student’s final project gone awry.

Source: Sophos News. https://nakedsecurity.sophos.com/2017/05/04/student-claims-google-docs-blast-was-a-test-not-a-phishing-attempt/

Several folks on Twitter, including Twitter verified Henry Williams (@Digitalhen) have pointed out a serious flaw in the @EugenePupov profile.

Source: Twitter, Inc. httpstwitter.com/digitalhen/status/860006167715643392

This twitter account, which fraudulently used a profile image portraying molecular biologist Danil Vladimirovich Pupov from the Institute of Molecular Genetics at the Russian Academy of Sciences, has since been deactivated.

Coventry University’s communications team quickly responded on social media denying all claims that anyone named Eugene Pupov is a current or former student.

Source: Twitter, Inc. httpstwitter.com/CoventryUniNews/status/860120215216148481

Something clearly is “phishy” about this situation.

Despite the university’s recent announcement discrediting claims of enrollment for a Eugene Popov, I would like to hypothetically explore the theory that yesterday’s campaign was a result of a student phishing research project that went terribly viral. Our PhishMe Intelligence teams identified and obtained the campaign source code and noticed that the most notable aspect of this phishing campaign was its uncanny ability to self-replicate and spread. From our vantage, there is no outward evidence indicating data was stolen or manipulated as previously alleged.

The list of domains created for this alleged “student demonstration” stinks like rotten phish.










As a career-wide security researcher and current leader of phishing intelligence research teams, this list of domains is concerning. Typically, when a researcher is creating proof-of-concept code for a white paper or presentation, the naming conventions adjust the URLs to showcase their malicious or fraudulent nature for education purposes, examples being:

  • “foo-example.com”
  • “evil-mitm-site.com”
  • “hacker.foo.example.com

If the party responsible intended to showcase educational materials that had any potential to unintentionally mislead a victim, they would typically create one, possibly two, examples to help avoid such scenario. A similar example of this would be the puny code phishing sample recently covered in WIRED where the researcher created one puny code example domain.

What’s most concerning here is the number of googledoc look-alike domains. In most best practice scenarios, a legitimate security researcher would not typically register 9 domains to illustrate a point or to educate on a threat vector. This behavior pattern is most noticeably tied to malicious actors with real nefarious motivations behind their actions.

It may be some time before the true motives of the phishing worm author are revealed, however we are inclined to believe there is a very good chance that malicious intent was in development during this campaign, the execution of which snowballed quickly beyond the author’s desired scope.