3 tips to prevent remote workers from falling victim to phishing attacks

    May 25, 2020

    The surge in phishing attacks related to COVID-19 is staggering. 

    Barracuda Networks announced a 667% spike in coronavirus-related phishing messages in March compared to February. Google is blocking 18 million COVID-19 scam emails a day and reported a 350% increase in phishing websites since January

    Not only are remote workers inherently less secure, attackers are taking advantage of fear and the chaos of the exodus from the traditional office setting. Now, more than ever, employees must pay careful attention to their inbox and sites they visit.

    Here are three tips to help protect against phishing attacks when working from home.

    1. Watch for the signs

    The anatomy of an effective phishing attack is rooted more in social engineering than technology. Phishing messages try to trick individuals into taking an action, such as clicking on a link or providing personal information, by offering scenarios of financial gains or ramifications, or the potential of work disruption or playing into personal panic.

    However, phishing messages typically have tell-tale signs that can – and should – give you pause. Attempts to obfuscate the sender, poor spelling and grammar, and malicious attachments are a few of the classic signs that the message is not genuine.

    Phishing attack messages that have the highest response rates are often related to time-bound events, such as open enrollment periods or satisfaction surveys. Some other common phishing message themes include unpaid invoices, confirming personal information and problems with log ins.

    Before acting, think about what is being asked. If you’re unsure whether it might be a malicious message, ask a colleague or your IT team to analyze the message (including the full SMTP information).

    1. Look out for pretexting

    Attackers often attempt to impersonate a known person or entity to obtain private information or to carry out an action. This is also known as pretexting, and it’s commonly executed by crafting a fraudulent email or text message to execute an action that is not part of the standard process. 

    One example is calling the service desk and pretending to be a valid user to get a password reset. Another ruse attackers frequently take advantage of is an out-of-band wire transfer or an invoice payment for a critical vendor. Small companies have traditionally been the targets, but larger companies are increasingly targeted. 

    Organizations must understand that pretexting is considered fraud and is often NOT covered by cyber insurance policies. Therefore, it’s critical that organizations design effective business processes with oversight so there are no single points of approval or execution, and stick to them. While it may be tempting to bypass processes, such as accounts payable or IT procurement, you can’t afford to let your guard down. Especially when large numbers of workers are logging on remotely.

    1. Invest more in education

    Phishing is often discussed within the cybersecurity space, but the conversations typically don’t involve intent and rigor.

    The common compliance measure usually involves an in-person or virtual annual training, along with some other method of education, such as hanging posters around the workplace. This approach pre-dates highly connected computing environments and doesn’t address the urgency needed for the current threat landscape.

    Organizations must conduct security awareness education with the same decisiveness and gravity that other industries do with their safety training. For example, it’s not uncommon for drivers in the commercial trucking and transport sector to take monthly training modules, or for managers to participate in quarterly safety meetings. Additionally, bad safety reviews or accidents often mean even more specific training for drivers.

    Phishing attacks should be taken just as seriously.

    Investing time and resources into regularly training and educating staff on information security awareness and current cyber threats will be critical in better securing a remote workforce.

    Better to be proactive than reactive

    The move to large-scale remote work has left many organizations more vulnerable than before. And bad actors are taking advantage of the chaos.

    By paying attention to the signs, looking out for pretexting and emphasizing regular training, you can better fend off the surge in phishing attacks.  

    Other Posts You Might Be Interested In

    Getting To Know You: Building The Right Network

    Connections are essential in business. We’ve moved beyond simple networking to building relationships – creating close ties with customers, coworkers, and partners – that...

    The importance of disaster recovery testing

    There’s no way you’ll be successful in recovery without testing. Full stop. You might think you have a solid plan in place, but there are so many issues that can arise...

    Why Lift & Shift Is Not As Easy As It Sounds For Your Cloud Infrastructure – And Where To Get Help

    As more frequent and severe storms hit the U.S. each year, sea level rise and coastal flooding is a growing threat to communities and individuals. In fact, nearly 14.6...