Although people might feel comfortable working from home during the pandemic, they have to remain wary. COVID-19 has given hackers fresh bait for old-fashioned phishing attacks.
The outbreak of the virus probably hasn’t increased the overall threat of phishing; it’s just given thieves a new topic to use in attempts to trick people into giving up sensitive information or clicking a bad link, said Chad Pew, manager of IT at SDN Communications.
Pew avoids saying that people who work at computers should be extra cautious now because he thinks they should always be cautious. Hackers are always active, and they always are trying to take advantage of trends, such as holiday seasons or natural disasters.
“They’re just looking for that attention-grabber where their email is going to get noticed and make people act on it,” Pew said. “That’s why they always switch to the most relevant topic that’s going on in the world.”
That makes COVID-19 kind of the online threat de jour. Granted, it can be an especially compelling topic for phishing attacks because of the anxiety the subject creates.
Regardless of what form phishing takes, security experts agree that it is a major threat to information security. It’s a form of social engineering in which hackers disguise themselves to try to acquire information, such as passwords, or encourage actions to assist their crime. They often use email, but phone calls are commonly used, too.
Hackers like to attack humans because, generally, employees – not machines – are the weakest link in a company’s cybersecurity defense. The best way to combat phishing is to train employees on an ongoing basis to recognize hackers’ tactics, such as urging email recipients to click on a link that could download malware into a network.
To help train and constantly update its employees about phishing threats, SDN uses a service from the security company KnowBe4. The service regularly but randomly sends a variety of fake emails to SDN employees at all levels. The purpose is to educate the company’s staff, not reprimand those who are tricked into taking a bad action.
Typically, only two or three of roughly 130 employees fail each round of a test. Those who get deceived have to take extra training. If the same employee were to fail month after month, some one-on-one discussion or possibly other action might be in order, Pew said.
Employees who don’t act on a test email and flag suspicious messages for review by the IT staff are congratulated.
During normal times, fake emails that appear to come from the human resources department and discuss an employee’s benefits might be difficult for recipients to resist. Now, hackers might try a tactic such as urging home-based workers to provide their credentials so they can be connected to the company’s network.
During a recent, two-day period KnowBe4 identified 10 different varieties of re-purposed phishing emails.
“Although all of these malicious emails strive mightily to be relevant and topical by invoking the COVID-19 crisis in one way or another, they should still look at least vaguely familiar,” warns KnowBe4. “That's no accident, as most of them are just warmed-over or re-treaded versions of the same malicious emails that have been plaguing users and IT departments for years.”
Regardless of the action they encourage, fake emails usually can be detected by the recipient. For example, closely examine the sender’s identification. The address might look real, but it might contain unusual characters. Hover the mouse over the sender’s name to see where the message really came from.
Here are some other, prior tips from Pew and other security experts that warrant repeating.
- Always be cautious. View any email request for personal or company information with suspicion.
- Look for errors in any unexpected message that calls for action. Phishing emails often contain odd phrasing or poor grammar.
- Attacks often include threatening language and encourage quick action.
- Independently verify information in a suspicious email or telephone call. Don’t hesitate to seek advice from a work colleague or manager.
- Promptly report any mistake you make, such as clicking on a bad link, so that mitigation action can begin, if necessary. Admitting a mistake might be embarrassing, but waiting only complicates matters.
SDN is a leader in providing business internet, private networking and cloud connectivity to businesses and organizations in communities such as Sioux Falls, Rapid City, Worthington, and the surrounding areas.