The increased susceptibilities of WFH mean that cyber criminals have upped the ante. Cyberattacks, while clearly evident pre-Covid, have exponentially increased as criminals take advantage of the disruption and weakened network securities.
From the early days of remote working, hacking events have surged as compromised technology and security have allowed easier access to network systems.
Evidence suggests that phishing attacks alone have increased by 667% just in March of this year.
Phishing with Covid-19 as bait
Cyber criminals are exploiting human frailties. The fraudulent attempts to prey on our generosity of spirit – that spirit clearly evident in our nation’s response to Captain Tom Moore’s heroic efforts – are repugnant.
Bogus websites have been set up posing as charities to channel funds into cyber criminals’ bank accounts.
Our natural fears and anxieties are being used against us as criminals seek to offer us fraudulent PPE, home-testing kits and cures. The appeal is all too obvious. These fraudulent activities are carried out via email, phone scams (eg offering free home testing kits or the promotion of bogus cures), or hoax texts (including one that offered a $30,000 'relief' package from 'The Financial Care Center', and another that informed recipients that they must take a mandatory online Covid-19 test; both were attempts to obtain banking and other personal information).
Another 'in' for these hackers is bogus updates on Covid-19, which are being sent by email or via social media. Phishing attacks involve emails to employees that appear to come from senior executives, emails that purport to attach updated policies around remote working, or emails that pretend to be from health agencies.
We are aware of emails purportedly from the World Health Organization, ostensibly providing Covid-19 updates via an attachment. Rather than providing helpful content, the attachment, once clicked, launches malware or ransomware into the victim’s computer.
Phishing with psychology as bait
Again, preying on human behavioural patterns, fraudsters often craft phishing emails encouraging the recipients to take action while manipulating our willingness to be efficient, helpful and proactive. Examples include:
- 'Your mailbox exceeds 3.5MB of storage as set by the administrator. To validate your account, click here.'
- 'Welcome to the new Outlook web app for staff. Login here.'
- 'You have a new voicemail message. Click here to access.'
The phish, if successful, may provide remote access to an employee’s computer or network, often the precursor to installing ransomware. Alternatively, or perhaps at the same time, the scammer uses valuable information to commit fraud or identity theft.
What should you do?
We are all generally becoming more educated in our ability to spot phishing emails: we’ve been told about checking for clues such as bad grammar, spelling mistakes, poor stylistics and odd-looking links.
Unfortunately, however, the sophistication of these emails is also improving at the same rate, and even the most seasoned cyber-guru can get caught out.
While spotting a phishing email is becoming increasingly difficult, the National Cyber Security Centre (NCSC) has put together some common signs to look for:
- Authority. Is the sender claiming to be from someone official (eg your bank, doctor, a solicitor, government department)? Criminals often pretend to be important people or organisations to trick you into doing what they want.
- Urgency. Are you told you have a limited time to respond (eg in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.
- Emotion. Does the message make you panic, fearful, hopeful or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.
- Scarcity. Is the message offering something in short supply (like concert tickets, money or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.
- Current events. Are you expecting to see a message like this? Criminals often exploit current news stories, big events or specific times of year (like tax reporting).
- Avoid clicking on links in unsolicited emails and beware of email attachments.
- All emails related to the pandemic that invite the recipient to click on a link or open an attachment should be treated as suspicious. That is particularly true if they appear to come from governmental organisations or large companies with which the recipient has no connection. Use trusted sources including legitimate government websites for up-to-date, fact-based information about Covid-19.
- As always, emails that seek personal information should be viewed with extreme scepticism. Do not reveal personal or financial information in emails, and do not respond to email solicitations for this information. This is particularly true now with respect to emails concerning the pandemic.
- Educate your employees about how to recognise phishing emails on both mobile devices and desktop/laptops.
The overriding message is: do not trust information that doesn’t come from official sources and be suspicious of messages coming from a company from which you don’t normally receive communications.