This blog was written by an independent guest blogger.
In recent years the outbreak and spread of COVID-19 have left many people with fears and questions. With various medical opinions, news outlets spreading varied statistics, case number and death reports, and safety recommendations that varied between countries, states, cities, and individual businesses, people often felt desperate for information.
The combination of these factors created an environment in which phishing attempts were easily successful, targeting the population by utilizing the World Health Organization’s (WHO) name as a cover. While phishing attempts, particularly those utilizing email are common, they are unfortunately frequently successful.
With a growing dependency on technology and cyber security, most organizations rely heavily on email communications both internally and externally. While the growing use of technology has seemingly increased convenience and efficiency, it also results in increased security risks. In fact, in 2020, 75% of organizations around the world reported to have experienced a phishing attack within the year, 74% of those attacks within the United States were reported to have been successful.
While targeted businesses vary in size and security, large government organizations with adequate phishing education and training are no exception. In the wake of the COVID-19 breakout, WHO experienced many phishing attempts that utilized email to target people and prey on their need for information and fear of the virus. The issue of the phishing attempts was numerous enough to warrant a warning to the public. On May 20th 2020, WHO implemented DMARC on who.int to combat phishing and domain impersonation.
WHO announced the various email phishing attempts and provided guidance on how to avoid a breach at https://www.who.int/about/cyber-security. Providing guidance, such as how to verify an email address as legitimate, and warning against sharing personal information, WHO took responsibility for the original wave of phishing attempts and with the rapid implementation of DMARC, who.int was able to prevent a large percentage of any subsequent attempts.
While phishing attempts cannot be completely eliminated, there are several settings and tools that can help organizations like WHO better defend against the use of domain in phishing e-mails and potential data breaches.
A tool that WHO utilized to prevent much of the future phishing attempts and subsequent data breaches is Domain-based Message Authentication, Reporting, & Conformance, or DMARC. While DMARC does not completely prevent phishing attempts, it does provide increased protection by increasing safety protocols and authentication checks, adding author linkage, increasing transparency regarding sender and recipient, and providing the monitoring and protection of a domain from fraudulent email creation. DMARC can be a powerful tool in preventing phishing sources from using spoof emails that mirror that of the intended target or organization, therefore making it easier to recognize phishing attempts or completely blocking them from arriving to the sender.
While WHO provided a published warning about the phishing attempts and largely remedied the issue and implemented DMARC on May 20th 2020, some say it may have been too late. Information in these publications may have failed to be properly accessed and understood by those that often fall prey to phishing attempts, or otherwise may not have reached the intended audience before data breaches occurred. This method of notification is reactionary rather than preventative. Considering the size, scope, and importance of the WHO, particularly in regard to a public health crisis such as COVID-19, DMARC is the right choice to take preventative measures against any future phishing attempts.
Unfortunately, phishing has progressed to a level in which the attempts often are not distinguishable from a legitimate message from the targeted organization. The frequency of these attacks, as well as the success of the attempts, have created an environment in which cybercriminals have honed their ability to mirror official messages and notifications with little to no indication of foul play.
For example, the email phishing attempts may use the organization’s exact email layout and originate from a sender that mirrors an official email address or an unauthorized sender using an official email address within the company. Without knowledge of an organization’s policies, such as WHO’s policy to never require the sharing of credentials, targets may fall prey to messages that closely mirror authentic communications. This is particularly the case when these spoofed emails utilize scare tactics that require quick action, clicking to download, and fear tactics, each of which are easily incorporated regarding COVID-19 communications.
Further, even with this knowledge individuals may fall prey to phishing attempts in the case that the email utilizes official but unauthorized means. Therefore, while WHO followed protocol by announcing their awareness of the phishing attempts and attempting to educate users on phishing prevention methods, prior to May 20th 2020, they failed to provide initial protections for their recipients and their organizational safety.
To provide adequate protection, WHO has implemented DMARC in addition to the published prevention methods and warnings. While education of employees, stakeholders, and the public is vital, prevention methods such as DMARC increases the overall security posture of WHO by decreasing the receipt of phishing attempts and therefore decreasing the likelihood of data breaches.
Within a health organization that provides vital information in an environment that is both changing and serious, it is important to provide both reactionary and preventative measures to decrease the overall likelihood of data breaches of the organization, employees, and individuals relying on the organization for guidance and information. Though WHO was successful in implementing reactionary information and warnings, and quickly reacted to implement DMARC, which led to the elimination of many future phishing attempts and domain impersonation.
Update: Mr. Flavio Aggio, World Health Organization’s Chief Information Security Officer, reached out to the author to provide the date of when DMARC was rolled out on who.int