2020 Phishing Email Attacks: 5 Predictions. 1 Pandemic. What Really Happened?

Last year, right about this time, we thought about the upcoming year and what we could expect to see from threat actors. We also had great hopes for leveraging the 20/20 Vision theme as we looked forward.  (I mean, how could we not tap into this theme with the launch of our own product appropriately named, Cofense Vision™ ?)  

And yet, here we are, looking back to determine how well we did with our predictions.  

 #1 Surgical Ransomware Attacks. Attackers will continue to choose their targets carefully to reap big payouts. Last year, we saw ransomware targeting state and local governments, with ransom payments escalating. This year, we saw a shift in tactics used by threat actors, sifting out data to ensure payment. In late October, we saw the U.S. authorities warn the healthcare industry with an alert of threat actors targeting the sector. Cofense quickly dug into the threat only to find the tactics were being used across multiple industry sectors. Read the Flash Alert post here. 

😐 #2 Healthcare and Genetic Testing Companies Will be Rich Targets for Monetizing Data. Genetic testing companies will be the healthcare industry’s bullseye. While we missed the mark with this prediction, we did see some healthcare entities targeted in data breaches, along with genetic testing facilities. Perhaps this would’ve been different if the focus hadn’t shifted to another world health concern. 

 #3 Elite Attacks on Cryptocurrency. Protecting cryptocurrency will require humans and technology. With greater focus on the cryptocurrency market and increasing value, we anticipated this would be a rich target for threat actors looking to rob the virtual bank – either targeting the exchanges or the individuals. As recently as November, we heard about Liquid confirming their exchange had suffered an attack. 

❌ #4 Info-Warfare that Tests Human Intuition. Whether fraud-for-profit or fake news, expect info to be more weaponized than ever. Heading into the U.S. presidential election, there was much anticipation of a repeat of the 2016 chain of events, beginning with a phishing email. With a greater focus from many entities within the public sector, as well as social media sites being more diligent and exacting tighter controls, we didn’t see an impact this year – which is a positive!

 #5 SIM-Jacking Aimed at Cryptocurrency and More. These inside jobs are another way to jack consumers, including you. Near the end of last year, we started to learn of incidents where telecom employees were making a quick buck to perform a simple task of swapping out a SIM card in order to gain access to an individual’s cryptocurrency account. Without fail, with the value of cryptocurrency continuing to climb, we did indeed see more of this threat.

But we can’t talk about 2020 without a mention of this year’s black swanthe coronavirus pandemic. While nobody could’ve predicted the pandemic, it was certainly a theme that threat actors didn’t shy away from in their lures and tactics. When it came to phish related to COVID, threat actors elevated their confidence by spoofing many of the legit authorities the world trusted for news from WHO to the CDC, while also targeting economic relief backing such as the U.S. Paycheck Protection Program (PPP) or UK HMRC.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Where Do Security Awareness Programs Belong on the Org Chart?

Part 3 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 2 here.

For this blog series on building a security awareness program, we started in week 1 with how to build a strategy. Last week we discussed how to select and use content in your overall program and specifically your phishing program. This week we’ll focus on program alignment – in other words, where does the security awareness role report within an organization?

While I was attending a security awareness conference in 2017, day 1 kicked off with a keynote that discussed the incident response process/program. The speaker had a couple of key points that resonated with me and have stuck. The first point was related to responding to your annual penetration test – do build your program to align with their findings, they will ALWAYS get in, it’s their job, etc. The second point was aligning your security awareness program to your incident response team.

Should you report to Training and Compliance or Incident Response?

Having spent a number of years in the security awareness role and networking with peers who have similar responsibilities, I can tell you that the reporting alignment is all over the place. Some report into the GRC department, some into the Learning or Training department (typically under the HR function), and some into the security program directly under the CISO. Some organizations will have a first line of defense – the teams with the tactical responsibility of defending against threats to the organization. They may also have a second line of defense – the teams that provide oversight or governance for the security program. This alignment tends to be more present in highly regulated industries.

You also find that security awareness professionals have varying experience and skillsets. You will see all these differences when you search for a job posting in security awareness – including the title. In some organizations the function may be a part-time job, just one of the many responsibilities assigned to the person sitting outside the CISO’s office. Other organizations have taken the time to build a robust program, making administration a full-time job – maybe even one that requires a team and a budget allowing the team to lower risk by addressing behaviors.

If you read part 1 of this series, you will recall the recommendation to go ask your Security Operations or Incident Response team about their top incidents tickets. If your strategy is to address behaviors corresponding to REAL threats, then it stands to reason that the awareness function should be aligned as closely as possible to the department that responds to those threats. Here’s a visualization (purely an example) of the types of risks your program might address:

A robust security awareness program should include the resources – money and people – needed to make the program successful. If you have a compliance team that manages the regulatory and audit requirements, by all means, allow them to manage the annual training requirement for cybersecurity. Just make sure you’re able to review and provide input on the topics being covered, so the program aligns to the current threat landscape. When the auditors or regulators ask you about it, you’re covered.

Cybersecurity threats and behaviors are not black and white. They are constantly changing. Most cybersecurity frameworks and regulations simply state that you should have a security awareness program. Such statements are a little vague, but that’s a good thing. Without the constraints of specific elements – newsletters, posters, phishing annual training, squishy balls shaped like phish, stickers, a security awareness portal, etc. – you get to define what to include in your program, based on the threats and behaviors you need to address.

The metrics can help you find the right home.

One last item that helps decide where to position the security awareness role in the organization – metrics. When the role is aligned with the governance, risk management, and compliance side of the organization, metrics relate to completing the training or to how many users clicked a link or opened an attachment. When the role is aligned with the security program, metrics focus on end results like reducing risk and reducing time to contain an incident, which in turn leads to reducing time to remediate an incident. Instead of focusing on the number of clicks you would focus on reports: how many users reported the message, so the SOC can respond to and mitigate the attack.

Wherever your security awareness program lives within your organization, if you’re clear on the metrics you can communicate better. You can market the program and its goals to your business audience, translate technical/cybersecurity concepts in ways anyone can understand – and most importantly, tell people the actions you want them to take.

If you’re just getting started on building your security awareness program, there are plenty of free resources available to you when you’re on a shoestring budget:

See Awareness Resources

Recommended reading: If you’re looking to expand your knowledge on how to create powerful moments in your security awareness program, I suggest reading The Power of Moments by Chip Heath and Dan Heath.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Building a Security Awareness Program? Start with Strategy and Goals

Part 1 of a 4-part series on building and maintaining a security awareness program, in support of Cybersecurity Awareness Month. #BeCyberSmart 

I’ve been with Cofense for two and a half years now interacting with several groups internally, but there are plenty of moments when I still get to chat with Awareness professionals. It’s in these moments that I realize there’s still some passion for helping others with their programs. I wrote this series early in my first few months of joining the organization and find these are still the recommendations I provide to others building or maturing their programs. 

In 2011, I began my journey into security awareness. At that time, there were limited resources and most programs were still compliance focused. Even though I had previously spent five years in IT compliance, I knew this wasn’t the right approach to get users to learn or care about security. I kept telling the director who owned the role, “Compliance focus is wrong –you have to market to the users.”  

Seven years later, I have a few tips to share about creating a security awareness program. The first tip might sound obvious, but how many times have you seen it ignored? Make sure you have a strategy. And while you’re strategizing, remember to set some goals. 

Ask your SOC for help. 

Before you can begin to build your program strategy, reach out to your Security Operations/Incident Response team. This team should be your best friend—and YOU will become theirs. They genuinely care about protecting your organization and you will be a breath of fresh air to them. But you will most likely need to remind them that they have the “Curse of Knowledge” (week-two book suggestion) and they don’t remember what it’s like not to know something. They’ve been doing technology and cyber too long to put themselves in the shoes of the user, so that’s where you step in. 

 What to ask them? They have lots of data and metrics. They most likely can give you a number of high risk incident categories that they track. What are the top two or three categories that ….? How much time does it take to remediate each of these incidents—for the user and the highly skilled technical staff? 

Start simple. 

Once you have identified the top behaviors for your organization, you can now begin building a program by outlining strategy and goals. Remember that a strategy is a longterm plan, so don’t try to tackle every behavior in your first year. Start simple. Some behaviors may require further analysis. 

 Let’s take browsing for instance. As you dig into the data, you find that users are able to open websites that have been categorized by your proxy filtering solution. You block the bad stuff—malicious, inappropriate content, gambling, etc. But what about those new websites, you know, the ones attackers like to host their malware on. Do you allow traffic to those websites? Most proxy solutions have a method for you to post a banner or warning to the user, letting them know a site has been blocked and why (it’s been categorized as malicious).

So, part of your strategy might be to leverage existing technology to stop users in their tracks. Another part could be to design a banner page explaining WHY a site is potentially bad, along with a way to gain access to and register for the site, so users can do business if they think the risk is low. 

It’s not training, it’s culture and behavior change.  

Security awareness programs over the years have been lumped into the “training” category. Don’t jump right to the “Let’s give them training” camp. Security Awareness is about a culture change, communicating the security posture of the organization. 

If your organization is regulated, you are required to provide annual mandatory training for security. The typical default for this training is a CBT module because it’s easy to track and demonstrate compliance. But don’t stop there. In order to influence change in behavior and culture, you need ongoing communications and content, not just once a year. This is where building a catalog of content and available resources is necessary. Build a portal where you can post newsletters, alerts and videos so your users come to you. Build a calendar of themes for the year, either by month or quarter, but allow for flexibility. This allows you to address new threats that affect your organization or industry. 

You can’t do this alone. Yes, you may be the only one officially assigned to this task but building your informal network and team will help you get your program off the ground. First and foremost, find a senior leader to champion your program, someone who understands the value the program and will go to bat with their peers. This will help build confidence in your program and make it more visible. 

The next group you should befriend are your corporate communications and marketing teams. These groups typically hold the keys to getting your message out. That intranet page? Those teams control the content appearing above and below the scroll. 

Building a program takes time and resources. If those are limited, start small and grow as your program gains credibility. Use small wins to demonstrate value and then expand those resources. There are also plenty of free resources available to help get you started. 

Recommended reading: If you’re looking for more material on changing organizational behavior, I suggest getting a copy of SWITCH, How to Change Things when Change is Hard, by Chip Heath. 

Next week, part 2 will cover how to add the right content to your program.  

Why Join Us at Cofense Submerge? Here’s What Attendees Say

Next month in Orlando we’ll be hosting CofenseTM Submerge 2019, our fourth annual user conference and phishing defense summit. As we wrap up each event, we ask attendees for feedback. What did they like best? Networking and hearing other customers’ experiences are always the top responses. As a former customer who now works at Cofense, I totally agree.   

Here are some of the answers we heard last year when we asked, “Why attend Submerge?” 

“Sharing ideas was tremendously helpful to me—having the opportunity to meet other people from a variety of industries doing the same thing that I do.” 

We’re all on this journey together, so the opportunity to meet industry peers is invaluable. If you’re new to getting your phishing defense program started, networking with peers can go a long way. If you’ve been running your program for a while and want to recharge it or find out about the latest in the phishing threat landscape, this is the place to get all that! You’ll be amazed how folks in different industries deal with the very same challenges. 

“I’ve taken tons of notes that will help me justify budget and take our program to the next level.” 

When you can take tidbits back to your boss, tips and tricks you can use immediately, that’s a good return on investment. Submerge 2019 offers nearly 30 sessions packed with practical information. Besides getting inspired about the future, you can apply what you learn right away. 

 “Substantive case studies provided by clients who had good program maturity.” 

Each year we hear from our attendees that they prefer sessions that are led by other customers. And when customers speak, we listen. This year, 80% of our sessions will be led by customers. The topics of our sessions this year range from phishing programs to technical incident response and threat intelligence. In most cases, the session leaders will be your peers, people that manage mature phishing defense programs. 

“Submerge is knowledge, security, and innovation.” 

This year’s sessions cover the gamut: trends in security awareness and incident response, a glimpse at our product road map, deep dives on topics like dealing with repeat clickers, and lots more. Not only do we have great sessions, but we have Kevin Mandia, FireEye CEO, providing insights into the incident response landscape.  

So, don’t just take our word for it—ask around and you’ll hear many more reasons to attend Cofense Submerge. Join us in Orlando, September 23-24!  


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 

SMBs: 5 Ways to Avoid Becoming a Small Phish in a Big Pond

In the fall of 2016, I watched a good friend get her business ready for opening in her first retail space. She had previously run everything from her home and now she was entering a whole new phase. I observed her interactions during a few visits and she knew when I gave her that “look,” there was something that needed improving.

“What Wi-Fi network do you have your register assigned to in the shared retail space? You should put a password on that register device you’re using, so when you’re across the store someone can’t open your register.”

The best part of helping her set that device password was watching her millennial daughters return to the store and try to guess the password – listening to their theories on creation was most amusing.

Following are 5 ways you can protect YOUR small business from phishing and other cyber threats.

  1. Train Your Employees!

A majority of small businesses have fewer than 50 employees. Ensure your staff are trained on the basics of cybersecurity for their roles. There are a number of free (YES really free!) resources available online to provide the basics: phishing, passwords, internet browsing and data protection.

The number one threat that will impact your business is phishing. Start with the simple actions. Teach employees to diligently check links – hover to see the real destination. If they did click on that link, do they have someone to tell? What if it took them to a website asking for their username and password?  If there’s an attachment, did it come from a trusted sender – if so, were they expecting to receive that invoice or resume file?

In June this year, the FBI issued a warning about the dramatic increase in business email compromise (BEC), which results in financial loss for the business targeted. The BEC scam is a simple email from a fraudster masquerading as a legitimate business executive asking for funds to be wired. These messages are typically targeted to individuals in the organization that process invoices or payments.

With a small staff, it’s not always easy to build your processes to include segregation of duties. But having controls in place related to handing out funds will not only save you on insider theft, it will also reduce the potential wire fraud from a random email spoofing your email address to your finance team. If your business does become a victim, the FBI encourages you to report the incident.

Remember the Target breach? The malicious actors started with sending a phishing email to the HVAC maintenance technician – a small business.

  1. Get Cyber Insurance.

You have an insurance policy on your car to protect you if you’re in an accident. You purchase liability insurance to cover your risk, should you encounter an unforeseen disruption in your business. In order to protect your business from a security incident that could result in a data breach or business disruption, you should invest in a cybersecurity insurance policy.

  1. Invest in IT/Cybersecurity Services

Enlisting the help of your teenage nephew is great for setting up your new phone or laptop, but that’s not the best solution to support your growing business. There are plenty of managed service providers to contract support for your technology and cybersecurity needs. Tap into your local small business networks or professional sharing networks for recommendations.

  1. Protect your Online Business Accounts

I put it in the cloud! The cloud service offerings today are far more readily available and robust than even five years ago. Entering your credit card info to purchase a piece of the cloud is easy, but make sure you know what you’re putting where. Keeping an inventory of these services, along with the type of data your storing, is important if the service experiences a breach or an outage.

While it might be easy to use that same username and password across all your accounts, it only takes one data breach to put all these services at risk. Get a password vault to manage these accounts.

  1. Protect your Social Media Accounts

As a small business owner, your number one “go to” place for your marketing campaign is social media. Managing these accounts is critical to protecting your online identity. Who has access to post on your behalf? Limit who has access to the account. Review your profile settings to ensure you have the highest level of security enabled. If the provider allows you to enable two-factor authentication – ENABLE IT!

Learn what two-factor authentication is and how to enable it at https://www.lockdownyourlogin.org/

YOU can do this – small steps can make a BIG difference!

Whether your family business was handed down to you through generations, or you’re a new start up, or  a nonprofit, small city, county, or community organization – you have intellectual property or personal data that you need to protect. And you have employees that need to take actions to support your business.

You built your business to live your dream; don’t let a malicious actor take that away from you! As you grow your business, make sure you grow your cybersecurity capabilities right along with it.

Hey! I know I’ve never talked to you before – but can you send some money – QUICK!

Business Email Compromise (BEC), also known as CEO Fraud, is a type of phishing email designed to impersonate an executive. In a BEC campaign, the “executive” urgently instructs an employee to wire money, sometimes lots of money, to a bank account. The FBI reports that BEC scams hit businesses to the tune of $12.5 billion annually.

What makes BEC campaigns different?

In a BEC attack, the weapon of choice is simple words. Instead of tricking people into clicking a malicious link or attachment, a BEC attack tries to lure recipients into taking action. The threat actor will spend time researching the organization, identifying execs whose high-priority messages would make employees respond ASAP.

Though this type of threat is fairly new in the phishing landscape, it is very successful. Actors have been able to make off with millions of dollars, using networks of mules to move the money back to the mothership.

In recent months, there has been a shift in the type of currency requested—gift cards. They’re easy to obtain and, if requested in smaller amounts, can go unnoticed but still add up. Researchers have also been doing their work, hunting these criminal groups with much success. Last summer the FBI announced the arrest of 74 fraudsters, all related to BEC. When an organization realizes it’s been hit with a BEC attack, it can reach out to the FBI, which will work with financial institutions to block the transfer of funds.

What can you do? A few tips.

I remember a few years back when this threat started to surface. I couldn’t help but think back to my days in finance and IT compliance, with a focus on Sarbanes-Oxley, and think about the controls breakdown BEC triggers. Here are some ways to KEEP control.

First and foremost, train your employees to be on the lookout for these types of messages. Secondly, implement controls within your payment process to require a secondary signature for release of funds. When I worked in the treasury department for a retail chain, there were many days I would have to walk to the Controller’s or CFO’s office to get a REAL signature on a check greater than $50,000 or a request for a direct wire. Also, look to the gateway controls and implement DMARC /DKIM as discussed in our previous blog post.

There is another control that is starting to become a best practice—tagging external messages in the subject line or message body and letting your employees know the message originated outside the organization. This tag is helpful in spotting BEC messages. Many times, executives or high value targets are reading their messages on mobile devices. The mail client on these devices doesn’t display the fully qualified email address, making it difficult to assess the validity of the message sender.

A BEC sample:

The importance of tagging for viewing on a mobile device – mail client vs mobile:

If your organization becomes the victim of a BEC scam, report it quickly to help the authorities stop the funds from going through. Reporting also provides law enforcement with more information about the threat actor, which further helps to fight these crimes.

Learn more about phishing threats and protection in the Cofense State of Phishing Defense report.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

When Sharing Isn’t Caring: Phishing Attacks Are Abusing File-Sharing Sites

Cofense™ has predicted continued growth in phishing attacks that abuse file-sharing services, for example, Google Docs or Sharepoint. In this post, I’ll examine why and how threat actors are doubling down on this tactic.

First, here’s the full prediction from Cofense threat analysts Nick Guarino and Lucas Ashbaugh:

“The majority of phish seen in the wild in 2019 will live in historically ‘trusted’ sharing services like Google Docs, Sharepoint, WeTransfer, Dropbox, Citrix ShareFile, and Egnyte. It’s difficult for these services to keep up with the constant barrage of varied phishing tactics (Whack-A-Phish, anyone?). In fact, the service providers can be really slow about staying on top of this stuff. Traditional security tools (firewalls, anti-virus) have no insight into the files housed on these services. As a result, it is incredibly difficult to protect users against these phish hiding in plain sight.”

Why is file-sharing a target? Because users trust these services.

In a recent post on credential phishing threats, we referenced the cloud as an attack surface. One of the emotional triggers that a threat attacker will pull is trust. When users get an email pointing them to, say,  Dropbox, there’s a greater likelihood they will engage with the message. These services have become trusted brands, so it’s only natural for a threat actor to leverage them.

It’s difficult for email gateway controls to block messages that link to these cloud-based services. Because the file is hosted outside the organization’s perimeter, traditional security solutions such as firewalls or anti-virus don’t have visibility. Threat actors are well aware of this fact, which is why they’ve been so successful with these types of campaigns.

User interaction is related to the business process.

We often see threat actors use generic messages as shown in the example below. In it, you won’t find any brands that would make the user more likely to interact with the message. The likelihood of user interaction is related to the business process presented—easily shared files.

This particular organization has URL defense protections enabled. It has also added tags to the message to alert the user that it is potentially harmful, since it originated outside the organization. These additional defenses can be helpful, but they make it difficult for the user to assess if the URL is legitimate.

One thing you can do: focus your phishing defense program on current threats, like attacks that abuse file-sharing. Teach users to identify phishing emails that link to file-sharing sites and condition them to ask questions before replying, for example:

  • “Am I expecting to receive an invoice from the sender?”
  • “Does my job normally require me to process invoices from unknown sources?”
  • If yes, “Does our business process require the finance teams to validate that an invoice or purchase order is expected or legitimate?” This might be possible in a smaller organization where teams interact with each other more frequently, however, it’s most likely not the case in larger, more diverse organizations.

To repeat, as long as these types of attacks are successful, we will continue to see them near the top of the phishing charts.

View all 6 Cofense phishing predictions for 2019.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Expect Credential Phishing to Continue Surging in 2019

“Hackers don’t need to break in, they only need to log in.” This was a quote mentioned at a conference I attended last December and which I repeated in an e-book Cofense™ recently published, 6 Phishing Predictions for 2019. My prediction was that hackers will continue to go full bore with credential phishing, emails that specifically ask for username and password.  

Building a Security Awareness Program? Start with Strategy and Goals

Part 1 of a 4-part series on building and maintaining a security awareness program, in support of National Cybersecurity Awareness Month.

In 2011, I began my journey into security awareness. At that time, there were limited resources and most programs were still compliance focused. Even though I had previously spent 5 years in IT compliance, I knew this wasn’t the right approach to get users to learn or care about security. I kept telling the director that owned the role, “Compliance focus is wrong –you have to market to the users.”