Not only are remote workers inherently less secure, attackers are taking advantage of fear and the chaos of the exodus from the traditional office setting. Now, more than ever, employees must pay careful attention to their inbox and sites they visit.
Here are three tips to help protect against phishing attacks when working from home.
Watch for the signs
The anatomy of an effective phishing attack is rooted more in social engineering than technology. Phishing messages try to trick individuals into taking an action, such as clicking on a link or providing personal information, by offering scenarios of financial gains or ramifications, or the potential of work disruption or playing into personal panic.
However, phishing messages typically have tell-tale signs that can – and should – give you pause. Attempts to obfuscate the sender, poor spelling and grammar, and malicious attachments are a few of the classic signs that the message is not genuine.
Phishing attack messages that have the highest response rates are often related to time-bound events, such as open enrollment periods or satisfaction surveys. Some other common phishing message themes include unpaid invoices, confirming personal information and problems with log ins.
Before acting, think about what is being asked. If you’re unsure whether it might be a malicious message, ask a colleague or your IT team to analyse the message (including the full SMTP information).
Look out for pretexting
Attackers often attempt to impersonate a known person or entity to obtain private information or to carry out an action. This is also known as pretexting, and it’s commonly executed by crafting a fraudulent email or text message to execute an action that is not part of the standard process.
One example is calling the service desk and pretending to be a valid user to get a password reset. Another ruse attackers frequently take advantage of is an out-of-band wire transfer or an invoice payment for a critical vendor. Small companies have traditionally been the targets, but larger companies are increasingly targeted.
Organisations must understand that pretexting is considered fraud and is often NOT covered by cyber insurance policies. Therefore, it’s critical that organisations design effective business processes with oversight so there are no single points of approval or execution, and stick to them. While it may be tempting to bypass processes, such as accounts payable or IT procurement, you can’t afford to let your guard down. Especially when large numbers of workers are logging on remotely.
Invest more in education
Phishing is often discussed within the cybersecurity space, but the conversations typically don’t involve intent and rigor.
The common compliance measure usually involves an in-person or virtual annual training, along with some other method of education, such as hanging posters around the workplace. This approach pre-dates highly connected computing environments and doesn’t address the urgency needed for the current threat landscape.
Organisations must conduct security awareness education with the same decisiveness and gravity that other industries do with their safety training. For example, it’s not uncommon for drivers in the commercial trucking and transport sector to take monthly training modules, or for managers to participate in quarterly safety meetings. Additionally, bad safety reviews or accidents often mean even more specific training for drivers.
Phishing attacks should be taken just as seriously.
Investing time and resources into regularly training and educating staff on information security awareness and current cyber threats will be critical in better securing a remote workforce.
Better to be proactive than reactive
The move to large-scale remote work has left many organisations more vulnerable than before. And bad actors are taking advantage of the chaos.
By paying attention to the signs, looking out for pretexting and emphasizing regular training, you can better fend off the surge in phishing attacks.