From September 2019 to April 2021, Palo Alto Network’s Unit 42 monitored firewall traffic and phishing sites detected by URL filters. The number of new phishing pages added each week increased significantly as individuals started working from home.

Threat actors enhanced and intensified their phishing attacks by exploiting remote work environments where employees were not protected by corporate firewalls. Cybersecurity experts saw a sudden and significant drop in traffic between March and April 2020 as COVID spread across the US, forcing companies to switch to remote working.

Education and high-tech sectors saw significant decreases in traffic over this period, with the latter seeing the largest decreases: education (a 46% decrease), most likely due to school closings, and high-tech (a 35% decrease), likely because more people are working from home and have limited knowledge of cybersecurity best practices.

Overall, almost every industry surveyed saw a significant decrease in URL filter traffic of around 30% or more. According to the researchers, an early rising trend in new phishing URLs was observed, starting around February 2020 and peaking in June 2020.

A survey of the phishing industries found that the following sectors were most affected by the practice: telecommunications and high tech, agriculture, education, government, local government, transportation, logistics, education, media and entertainment, professional and legal, Wholesale and retail.

Unit 42 makes the following recommendations to better protect yourself against phishing attacks:

  • Use caution when clicking links or attachments in emails sent from suspicious sources, especially those relating to personal information or account settings
  • When an email feels urgent, resist the urge to do what it says right now
  • If you have questionable emails in your inbox, check the sender address.
  • Before entering your credentials, check the URL and security certificate on any website.
  • Report suspicious phishing attempts to your company’s IT or InfoSec.