NASA Phishing email attack (2020) – Avoiding dodgy links is hard

What is Phishing and Spear Phishing

Phishing is when criminals steal confidential information by sending fraudulent messages. Sometimes a phishing message convinces you to reveal passwords. Other times, they trick you into installing malware (e.g. ransomware or keyboard loggers) [1]. Spear phishing scams target businesses by using information specific and unique to a company [2], often containing cues that make the message seem authentic. Sometimes, phony messages are good enough to fool even trained professionals. [3]

Harder than rocket science? Even NASA employees click on malicious links!

In April 2020, NASA said a “new wave of cyber-attacks is targeting [staff], […working] from home, during the … COVID-19 outbreak”. [4] Amazingly, staff clicked on malicious links in emails at twice as often than before the lockdown [5].

Also, during the outbreak, GitLab ran a security exercise on its remote workforce. GitLab provides technical services to software developers. The security test found that one third of participating staff clicked on fake links. Worse, the test convinced around 20% of staff to fill in a false login form. [6]

If people who work for NASA and GitLab find this hard, how can regular businesses get this right?

Evidence suggests that employees click on fake emails more often than you’d expect. While no definitive data exist, estimates range from 3.4% to a whopping 45% for click rates on targeted phishing emails. . [6]

Effects are close to home

NASA and GitLab may seem like they are from a galaxy far, far away, but scams also target Australians. [7] My clients have received an increase in targeted phishing emails during COVID-19. Other cyber-security professionals I’ve spoken report a similar rise in phishing.

Even so, what’s the best advice?

  • Be sceptical of unknown emails, especially ones containing attachments or clickable links.
  • Assume your antivirus and anti-phishing software is not working. This assumption means not opening email attachments from someone you don’t know; or not clicking on links that you can’t verify as authentic. If your business needs to receive attachments from unknown sources regularly, seek advice.
  • Consider restricting the types of files allowed into your organisation. For example, you can ask your IT staff to block executable files or scripts – which often contain malware.
  • Verify high-stakes transactions regularly. For example, if you get an email to do a money transfer, verify it via phone before taking any action.
  • Most importantly, train and test your employees on how to avoid phishing emails. You can do this by talking with your cyber-security provider. Notion Digital Forensics can provide employee testing and training, especially during this time.


  1. Lab, K. What is Spear Phishing? Kaspersky Lab Resource Centre 2020 [cited 2020 17 April 2020]; Available from:
  2. Australian Consumer and Competition Commission, Whaling & spear phishing,, Editor., Australian Consumer and Competition Commission: Australia.
  3. Australian Cyber Security Centre, Phishing, Australian Cyber Security Centre, Editor., Australian Government: Australia.
  4. NASA IT Department (claimed), NAIO. NASA CIO Agencywide Memo: Alert: Cyber Threats Significantly Increasing During Coronavirus Pandemic. SpaceRef 6 April 2020 [cited 26 May 2020]; Available from:
  5. Goodin, D. NASA sees an “exponential” jump in malware attacks as personnel work from home. Ars Technica 7 April 2020 [cited 14 April 2020]; Available from:
  6. Claburn, Thomas. To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it. The Register 21 May 2020 [cited 26 May 2020]; Available from:
  7. Borys, S. Cyber attacks on Australian businesses on the rise but experts not blaming state actors. ABC News 2020 15 May 2020 [cited 2020 26 May 2020]; Available from:

Important note on general advice

I am a cyber security specialist, but I may not be YOUR cyber security specialist. 

All cyber-security and digital forensics decisions require careful consideration of your own circumstances and risks. General information is not not tailored to your individual needs. You should seek the advice of a suitably qualified cyber-security or digital forensics specialist.