Unfortunately, as employees adapt to the huge changes brought on by COVID-19 and social distancing, there are those who have sought to exploit the situation for their own gain.
According to a recent Mimecast report, email-borne impersonation fraud attacks increased by 30 per cent amongst firms surveyed in the first 100 days of the COVID-19 pandemic. Also known as ‘phishing’, this method involves infiltrating systems by replicating known authentication processes and tricking users into handing over their log in credentials. Phishing is both highly effective and hugely disruptive, with 82 per cent of firms having experienced downtime as the result of an email attack.
Phishing is often conducted on a mass-scale and victims are often targeted indiscriminately. This was the case in Germany recently, where attackers targeted the national government's private sector task force commissioned to leverage international contacts to obtain medical equipment for healthcare providers treating COVID-19 patients.
As organisations begin to return staff to old work settings, with social distancing still imperative, many will still need to keep employees spread across remote and office environments. Company devices switching between enterprise networks and home broadband is just one of the major cyber hygiene challenges that can undermine business resilience. During this time, it is imperative that all remote workers are aware not only of how a phishing attack works, but also the impact that phishing can have on an organisation’s reputation, it’s bottom line, and, crucially, its business continuity. Here are some key pieces of advice for staying secure under these circumstances.
How phishing attacks prey on isolated users
The anatomy of an effective phishing attack is rooted more in social engineering than technology. Phishing messages try to trick individuals into taking an action, such as clicking on a link or providing personal information, by offering scenarios of financial gains or ramifications, or the potential of work disruption or playing into personal panic.
However, phishing messages typically have tell-tale signs that can – and should – give users pause. Attempts to obfuscate the sender, poor spelling and grammar, and malicious attachments are a few of the classic signs that the message is not genuine.
Phishing attack messages that have the highest response rates are often related to time-bound events, such as open enrolment periods or satisfaction surveys. Some other common phishing message themes include unpaid invoices, confirming personal information and problems with logins.
Before acting, think about what is being asked. For example, phishing attacks may take advantage of the fact that many workers are currently anticipating updates from their employers about returning to the workplace. The email may ask users to log in to a new system designed to allocate socially distant spaces within the workspace upon their return. This tactic exploits the user’s often unconscious confirmation bias, not only impersonating their employer but also taking advantage of their expectations around returning to work and acknowledgement of social distancing.
If unsure whether it might be a malicious message, encourage staff to ask a colleague or the IT team to analyse the message (including the full Simple Mail Transfer Protocol (SMTP) information).
Pretexting and issues around cyber insurance policies
Attackers often attempt to impersonate a known person or entity to obtain private information or to carry out an action. This is also known as pretexting, and is commonly executed by crafting a
fraudulent email or text message to execute an action that is not part of the standard process.
One example is calling the service desk and pretending to be a valid user to get a password reset. Another ruse attackers frequently take advantage of is an out-of-band wire transfer or an invoice payment for a critical vendor. Small companies have traditionally been the targets, but larger companies are increasingly being targeted.
Organisations must understand that pretexting is considered fraud and is often not covered by cyber insurance policies. Therefore, it’s critical that organisations design effective business processes with oversight so there are no single points of approval or execution, and stick to them. While it may be tempting to bypass processes, such as accounts payable or IT procurement, businesses can’t afford to let their guard down – especially when large numbers of workers are logging on remotely as is the case for so many today.
How to educate users on phishing
Phishing is often discussed within the cyber security space, but the conversations typically don’t involve intent and rigour.
The common compliance measure usually involves in-person or virtual annual training, along with some other method of education, such as hanging posters around the workplace. This approach pre-dates highly connected computing environments and doesn’t address the urgency needed for the current threat landscape or pattern of working experienced by so many in 2020.
Organisations must conduct security awareness education with the same decisiveness and gravity that other industries do with safety training. For example, it’s not uncommon for drivers in the commercial trucking and transport sector to take monthly training modules, or for managers to participate in quarterly safety meetings.
The imperatives of resilience and continuity as we enter the ‘new normal’
Organisations need to be proactive about cyber hygiene. The move to large-scale remote work has left many organisations more vulnerable than ever before, and bad actors are out to take advantage of the chaos. By paying attention to the signs, looking out for pretexting and emphasising regular training, companies can better fend off the surge in phishing attacks.
Investing time and resources into regularly training and educating staff on information security awareness and current cyber threats is critical in building resilience into remote working. A data-compromising cyber attack could be just around the corner, so it’s imperative to establish plans and capabilities that reduce risk and prevent data loss, leakage or offline systems from disrupting business continuity.
Richard Hahn, Consulting Manager, Sungard Availability Services