According to the Office of National Statistics (ONS), approximately 14.2 million people (44 per cent of the total number of working adults) have worked from home during the coronavirus pandemic. To put these figures into perspective, this number stood at around 1.7 million in 2019, representing just 5 per cent of the total working population.
While these statistics are unsurprising, it’s clear that the paradigm of working from home every day was sudden and significant. Few businesses can claim to have anticipated such a scenario, nor to have had the business continuity planning capabilities to contend with its consequences. For example, one of the biggest cybersecurity trends to have emerged in recent weeks is a surge in phishing attacks targeting remote workers.
As will be described in this article, phishing thrives on isolation, uncertainty and periods of change, which have all been common characteristics of the working world recently. Accordingly, Google has reported a 350 per cent increase in phishing attacks from January to March of this year.
Now that organisations are beginning to transition back to former work settings, social distancing will mean that change and uncertainty will continue to be a significant factor. During this time, it is imperative that all workers are aware not only of how phishing attacks work, but also the impact that it can have on an organisation’s reputation, it’s bottom line, and, crucially, the continuity of the business overall. Here are some key pieces of advice for staying secure under these circumstances.
1. Phishing attacks are socially engineered
The anatomy of an effective phishing attack is rooted more in social engineering than technology. Phishing messages try to trick individuals into taking an action, such as clicking on a link or providing personal information, by offering scenarios of financial gains or ramifications, or the potential of work disruption or playing into personal panic.
However, phishing messages typically have tell-tale signs that can – and should – give users pause. Attempts to obfuscate the sender, poor spelling and grammar, and malicious attachments are a few of the classic signs that the message is not genuine.
Phishing attack messages that have the highest response rates are often related to time-bound events, such as open enrolment periods or satisfaction surveys. Some other common phishing message themes include unpaid invoices, confirming personal information and problems with logins.
Before acting, think about what is being asked. For example, phishing attacks may take advantage of the fact that many workers are currently anticipating updates from their employers about returning to the workplace. The email may ask users to log in to a new system designed to allocate socially distant spaces within the workspace upon their return. This tactic exploits the user’s often unconscious confirmation bias, not only impersonating their employer but also taking advantage of their expectations around returning to work and acknowledgement of social distancing.
If unsure whether it might be a malicious message, encourage staff to ask a colleague or the IT team to analyse the message (including the full Simple Mail Transfer Protocol (SMTP) information).
2. Attackers use a diverse portfolio of tactics
Organisations must understand that pretexting is considered fraud and is often not covered by cyber-insurance policies. Therefore, it’s critical that organisations design effective business processes with oversight so there are no single points of approval or execution, and stick to them. While it may be tempting to bypass processes, such as accounts payable or IT procurement, businesses can’t afford to let their guard down – especially when large numbers of workers are logging on remotely as is the case for so many today.
Attackers often attempt to impersonate a known person or entity to obtain private information or to carry out an action. This is also known as pretexting, and is commonly executed by crafting a
fraudulent email or text message to execute an action that is not part of the standard process.
One example is calling the service desk and pretending to be a valid user to get a password reset. Another ruse attackers frequently take advantage of is an out-of-band wire transfer or an invoice payment for a critical vendor. Small companies have traditionally been the targets, but larger companies are increasingly being targeted.
3. Education is the first line of defence
Phishing is often discussed within the cybersecurity space, but the conversations typically don’t involve intent and rigor.
The common compliance measure usually involves in-person or virtual annual training, along with some other method of education, such as hanging posters around the workplace. This approach pre-dates highly connected computing environments and doesn’t address the urgency needed for the current threat landscape or pattern of working experienced by so many in 2020.
Organisations must conduct security awareness education with the same decisiveness and gravity that other industries do with safety training. For example, it’s not uncommon for drivers in the commercial trucking and transport sector to take monthly training modules, or for managers to participate in quarterly safety meetings.
Planning for the new normal
The main priority for organisations moving forward is to be more proactive about implementing, practicing and testing cyber-hygiene from the ground up. There’s much more in the way of fundamental change on the horizon which opens organisations up to a diverse and complex threat landscape.
At the same time, bad actors will constantly be on the lookout for opportunities to take advantage of the chaos. By paying attention to the signs, looking out for pretexting and emphasising regular training, companies can better fend off future phishing attacks.
Investing time and resources into regularly training and educating staff on information security awareness and current cyber-threats is critical in building resilience in the ‘new normal’ of the post-Covid-19 working world. A crippling cyberattack is always just around the corner, but by establishing plans and capabilities that reduce risk and prevent data loss, leakage or offline systems from disrupting business continuity, the chances of survival rise exponentially.
Richard Hahn, Consulting Manager, Sungard Availability Services