When it comes to reducing anxiety, cannabidiol (CBD) has become the new go-to product of choice for millions of people, but as hackers exploit this trend, instead of curing stress, CBD has become inspired a phishing scam that does the exact opposite.
Vade has identified CBD-themed phishing attacks in three languages. Each of the threat samples uses remote images, random URLs, lagging links, and content activation to avoid detection. Over the past three months, Vade has found 4,700 unique phishing emails targeting Microsoft 365 business users in the United States and 11,000 in France in this wave alone.
While CBD phishing scams are not new, they have been on the rise in recent months. At the start of the COVID-19 pandemic, email scammers took their tactics a step further and sent COVID-related mass texts to Americans, one of whom promoted the oil of CBD as a potential remedy for the virus. One of those emails offered bogus rewards, including 100% natural CBD oil. A year later, Vade uncovered a million COVID vaccine phishing emails containing Moderna and Pfizer investigative scams, with the primary purpose of obtaining money from victims.
Last November, crooks took to social media to falsely portray English broadcaster and nature historian Sir David Attenborough as the spokesperson for CBD oil. Earlier this year, the Australian medicinal cannabis company, Cann Group, lost millions in an email compromise attack (BEC). Needless to say, CBD is a hot topic among hackers and is often used as click bait.
The most recent scams mean that phishers continue to play on people’s fears and deliver bogus promises to trick victims into clicking dangerous links or downloading malicious files. What makes this wave of attacks particularly grim is that many people use substances derived from cannabis as alternative medicine and sometimes rely on them for long-term illnesses and chronic pain.
While these emails target individuals on a personal level, the messages are sent to Microsoft 365 users in business, hitting employees in the workplace where stress is common. Business owners need to combine strong email defenses with user awareness training programs. However, approaching it the right way can be a challenge.
Phishing training programs, including simulations, have been shown to slightly reduce click-through rates on fake phishers, but have little effect on lowering click-through rates on real phishing emails. This could be due to something called the forgetting curve, which postulates that people who do not use what they have learned meaningfully forget 50-80% of the material learned in just two days. . This has led to more gamified phishing simulations that harness AI to create an immersive and interactive experience.
What does all this mean for the future of phishing attacks? On the one hand, we can expect to continue to see social engineering attacks plague email inboxes, preying on the emotions of individuals for personal and monetary gain, whether around basic drugs. CBD, love, vaccine surveys, or other weak spots. Additionally, while phishing awareness training is common in mature organizations and is a popular service offering among MSPs, generic phishing simulations are not a one-size-fits-all solution to preventing users from clicking.
If you can’t remember anything else, remember this: It only takes one careless click for hackers to gain access to a network and cause serious damage. Once that happens, no amount of CBD can ease the financial and reputational hardships of a successful hack.