While organisations have endeavoured to adapt to the huge changes brought on by the coronavirus pandemic, there has been an increase in cyber attackers looking to exploit the situation for their own gain. These were the findings of a recent Mimecast report, which found that email-borne impersonation fraud attacks increased by 30 per cent in the first 100 days of the COVID-19 pandemic.
Also known as ‘phishing’, this method involves infiltrating systems by replicating known authentication processes and tricking users into handing over their log in credentials. It is often conducted on a large scale, with attackers choosing targets indiscriminately. For example, attackers recently targeted the German government’s private sector task force commissioned to obtain medical equipment for healthcare providers treating COVID-19 patients with a high-profile phishing campaign.
With social distancing in place, many organisations are beginning to return employees to their former workplace environments. However, many will still need to keep employees spread across remote and office environments. During this time, it is imperative that all remote workers are aware not only of how a phishing attack works, but also the impact that phishing can have on business resilience overall. Here are some core priorities for organisations to observe to stay secure in the future.
How phishing works
The anatomy of an effective phishing attack is rooted more in social engineering than technology. Phishing messages try to trick individuals into taking an action, such as clicking on a link or providing personal information, by offering scenarios of financial gains or ramifications, or the potential of work disruption or playing into personal panic.
However, phishing messages typically have tell-tale signs that can – and should – give users pause. Attempts to obfuscate the sender, poor spelling and grammar, and malicious attachments are a few of the classic signs that the message is not genuine.
Be aware of ‘pretexting’
Attackers often attempt to impersonate a known person or entity to obtain private information or to carry out an action. This is also known as pretexting, and is commonly executed by crafting a
fraudulent email or text message to execute an action that is not part of the standard process.
One example is calling the service desk and pretending to be a valid user to get a password reset. Another ruse attackers frequently take advantage of is an out-of-band wire transfer or an invoice payment for a critical vendor. Small companies have traditionally been the targets, but larger companies are increasingly being targeted.
Organisations must understand that pretexting is considered fraud and is often not covered by cyber insurance policies. Therefore, it’s critical that organisations design effective business processes with oversight so there are no single points of approval or execution, and stick to them.
While it may be tempting to bypass processes, such as accounts payable or IT procurement, businesses can’t afford to let their guard down – especially when large numbers of workers are logging on remotely as is the case for so many today.
The roles of change, uncertainty and user isolation
Phishing attack messages that have the highest response rates are often related to time-bound events, such as open enrolment periods or satisfaction surveys. Some other common phishing message themes include unpaid invoices, confirming personal information and problems with logins.
Before acting, think about what is being asked. For example, phishing attacks may take advantage of the fact that many workers are currently anticipating updates from their employers about returning to the workplace. The email may ask users to log in to a new system designed to allocate socially distant spaces within the workspace upon their return. This tactic exploits the user’s often unconscious confirmation bias, not only impersonating their employer but also taking advantage of their expectations around returning to work and acknowledgement of social distancing.
If unsure whether it might be a malicious message, encourage staff to ask a colleague or the IT team to analyse the message (including the full Simple Mail Transfer Protocol (SMTP) information).
Employee education is key
Phishing is often discussed within the cybersecurity space, but the conversations typically don’t involve intent and rigor.
The common compliance measure usually involves in-person or virtual annual training, along with some other method of education, such as hanging posters around the workplace. This approach pre-dates highly connected computing environments and doesn’t address the urgency needed for the current threat landscape or pattern of working experienced by so many in 2020.
Organisations must conduct security awareness education with the same decisiveness and gravity that other industries do with safety training. For example, it’s not uncommon for drivers in the commercial trucking and transport sector to take monthly training modules, or for managers to participate in quarterly safety meetings.
Maintaining business resilience in the ‘new normal’
The need for organisations to be proactive about cyber hygiene is higher than ever. As organisations gradually transition into the new normal, bad actors will continue to take advantage of the situation. By looking out for pretexting, paying attention to the signs, and emphasising regular training, companies will be better positioned to fend off a renewed surge in phishing attacks.
In particular, organisations must take the time now to invest time and resources into regularly training and educating staff on information security awareness. Resilience can be built into the DNA of new working imperatives by spreading ongoing awareness critical cyber threats amongst all users. A data-compromising cyberattack could potentially be just around the corner, so organisations must establish plans and capabilities that reduce risk and prevent data loss, leakage or offline systems from disrupting business continuity.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.