When it comes to reducing anxiety, Cannabidiol (CBD) has become the new go-to product for millions of people, but as hackers tap into this trend, instead of curing stress, CBD has inspired a phishing scam that is doing just the opposite.
Vade identified CBD-themed phishing attacks in three languages. Each of the threat samples leverages remote images, randomized URLs, delayed links and content activation to avoid detection. In the last three months, Vade found 4700 unique phishing emails targeting corporate Microsoft 365 users in the US and 11,000 in France in this wave alone.
While CBD phishing scams are not new, they have been picking up steam in recent months. At the beginning of the COVID-19 pandemic, email scammers took their tactics one step further and sent out mass COVID-related text messages to Americans, one of which promoted CBD oil as a potential cure for the virus. One such email offered fake rewards, including 100% natural CBD oil. A year later, Vade uncovered one million COVID vaccine phishing emails containing Moderna and Pfizer survey scams, with the primary goal of obtaining money from victims.
This past November, scammers took to social media to wrongly portray English broadcaster and natural historian Sir David Attenborough as a spokesperson for CBD oil. Earlier this year, Australian medicinal cannabis company, Cann Group, lost millions in a business email compromise (BEC) attack. Needless to say, CBD is a hot topic among hackers and is often used as clickbait.
"The most recent scams signify that phishers continue to play on individuals' fears and deliver false promises to trick victims into clicking on dangerous links or downloading malicious files"
The most recent scams signify that phishers continue to play on individuals’ fears and deliver false promises to trick victims into clicking on dangerous links or downloading malicious files. What makes this wave of attacks particularly sinister is that many people use cannabis-derived substances as alternative medicine and sometimes rely on them for long-term illnesses and chronic pain.
While these emails target individuals at the personal level, the messages are sent to corporate Microsoft 365 users, hitting employees in the workplace where stress is common. Business owners must combine strong email defenses with user awareness training programs. However, approaching this in the right way can be a challenge.
Phishing training programs, including simulations, are shown to slightly reduce click rates on simulated phishes but have little effect on lowering click rates on real phishing emails. This could be due to what’s known as the curve of forgetting, which posits that people who do not use what they’ve learned in any significant way forget 50%-80% of learned material in just two days. This has led to more gamified phishing simulations that leverage AI to create an immersive and interactive experience.
What does this all mean for the future of phishing attacks? For one, we can expect to continue to see social engineering attacks plague email inboxes, preying on individuals’ emotions for personal and monetary gain, whether it be around CBD medication, love, vaccine surveys or other soft spots. Furthermore, while phishing awareness training is common in mature organizations and a popular service offering among MSPs, generic phishing simulations are not a singular solution for preventing users from clicking.
If you remember nothing else, remember this – it only takes one careless click for hackers to gain access to a network and do serious damage. Once this happens, no amount of CBD can ease a successful hack’s financial and reputational pain.