Restart Your Cybersecurity Training During COVID-19 ASAP. Here’s Why
With the onslaught of COVID-19 scams and cybersecurity threats, training your teams on safe practices for email and Internet is crucial.
Hackers are preying on your employees at a time when they are most vulnerable. The confusion and uncertainty surrounding the coronavirus pandemic makes them even more susceptible to being duped, especially if they’re suddenly facing unfamiliar circumstances, like working from home and using systems they’re unaccustomed to.
If employees don’t have adequate cybersecurity training, then there’s a high risk that they could become the next victims.
Phishing scams are among your worst enemies right now
Law enforcement agencies around the world have warned that phishing scams are on the rise – by as much as 600% since the beginning of March, according to some data.
Many of these schemes are now using COVID-related themes to deceive users. In the process, attackers are stealing login credentials, accessing critical systems, stealing data and infecting devices with a host of malware.
It’s true that businesses have plenty of other threats to worry about right now as they transition to a remote working environment while also facing bleak economic conditions. There’s also the constant risk of data loss, hardware failure and general malware infections.
But whereas you can ward off many of those threats with the right technologies, you don’t have as much control over whether employees get deceived by a phishing scheme.
That’s why phishing emails are one of your worst enemies right now and why cybersecurity training is so important.
Phishing 101 – what is it?
Before we dig into our tips for cybersecurity, a brief refresher is in order:
What is a phishing scheme? How does it differ from other spam emails or malware?
Phishing emails are unique from traditional spam in that they are disguised to look like emails from trusted senders. A common example is an email purporting to be a message from the user’s bank, asking them to log in right away (i.e. to change a password or confirm suspicious activity).
The email can look identical to legitimate communications from the bank – logos, color schemes and all. The only difference is the links inside the email and the sender data. When a user clicks the button to log in, it takes them to a regular-looking login page. But in reality, the page is hosted by the attackers. When the user submits their credentials, the attackers receive them, allowing them to gain access whenever they want.
Often, the user doesn’t know anything is amiss – and that’s exactly what the culprits want. After users attempt to login via the fake page, it may simply redirect to the legitimate login page, allowing the user to try again and gain access as normal.
If users don’t think anything is wrong, they won’t have any reason to change their password or notify IT, thereby allowing the attackers to maintain access.
Examples of phishing during COVID-19
COVID-19 has ushered in a new wave of phishing emails, designed to fool users about issues surrounding the coronavirus.
Example themes identified by the FBI include:
- Stimulus checks
- Loans and credit accounts
- Charitable contributions
- Airline refunds
- Cures and vaccines
- COVID-19 testing kits
In each case, users are directed to a scam page asking them to log in or enter their financial information.
It’s not just about coronavirus
We need to make a very important point here…
A phishing email does NOT need to be COVID-related to be extremely effective right now.
Employees facing new, stressful and unfamiliar territory makes them naturally more vulnerable, regardless of what the phishing email says. Heightened anxiety may blind them to ordinarily obvious red flags.
Take the bank scam we mentioned above, for example. If an employee is already worried about their financial situation and other life stresses, they are prime targets for a phishing email that says, “Suspicious activity detected – please login to review this transaction.”
This is exactly why phishing schemes are on the rise right now. Attackers are taking advantage of the fears and anxieties of your workers.
Damage from successful attacks
How much harm can a phishing scam cause?
A lot.
Stealing a single user’s credentials can lead to a massive security breach. Once hackers are inside your systems, they can do whatever the employee could do: export data, copy, modify, delete files and so on. In a worst-case scenario, they could gain access to your financial accounts and transfer money out.
Even without access to your financial accounts, they can do just as much financial damage. Some phishing attacks steal your data and hold it hostage until you pay a massive ransom – which brings us to our next important point …
Phishing emails are a top delivery method for ransomware
Hackers don’t actually have to steal your data to hold it hostage.
With ransomware, they can encrypt all your data, effectively freezing your operations until you pay a ransom (though paying up doesn’t guarantee the attackers will comply).
Phishing schemes are among the most common ways that hackers infect systems with ransomware. Often, instead of bothering with a fake login page at all, these schemes will simply use a deceptive email with an infected attachment (made to look like an invoice, receipt, transaction, etc.) or a link to a malicious website that begins downloading the malware upon loading the page.
Firewalls and email filters aren’t enough
It’s true that strong network firewalls and spam filtering systems can weed out the majority of threats before they arrive in your inboxes. And for bad emails that do get through, you can block the ransomware from loading with strong antimalware software, application whitelisting and other security measures.
But some threats will still get through – especially when the phishing emails are especially sophisticated.
This is why cybersecurity training is so important.
How to train: start with the risks
Educating your employees on safe practices for email and Web is one of the best steps you can take to protect your business. As you begin the training, start by letting employees know what’s at stake.
Educate employees about the risks to the business: the costs and potentially devastating consequences of a widespread cyberattack. Ransomware attacks, for example, can cost businesses thousands of dollars per hour in downtime alone, and they can force some businesses to close permanently.
When users understand that their actions could seriously hurt the business (and even threaten their own employment), they are more likely to be more cautious online.
Recognizing common phishing attacks
Employees should know how to recognize phishing emails. Some common examples of deception that users should be wary of include:
- Alerts about suspicious account activity or log-in attempts
- Claims of problems with stored payment information
- Requests to confirm your personal information
- Fake account statements, bills, invoices
- Emails about refunds, free money or unclaimed funds
Employees will naturally want to know how they can determine if the email is legitimate. There are a few tell-tale giveaways …
Is it real? Here’s how to tell
When evaluating emails, users should ask themselves the following questions before clicking any links or opening an attachment:
-
Is it from a trusted sender?
For example, if the email is from a bank or service that the user doesn’t have an account with, that’s a surefire sign it’s bad.
-
Is it missing personal information?
Does the email address the recipient by name, or does it use generic greetings, like “Hi,” or “Sir / Madam?” If there’s nothing personal, it could be malicious.
-
Does the language seem off?
Broken English or awkward turns of phrase are often a sign that the sender is not who they claim to be.
Checking links and sender data
If users still aren’t sure whether the email is legitimate, they should take a closer look at where the email is coming from, and where the links will take them.
-
Don’t rely on the “from” info alone.
Senders can easily spoof email addresses to make it appear that the message has come from a trusted sender. Instead, users should be trained on how to check the detailed sender/source data, which will show the domains/addresses where the email originated. If, for example, the email claims to be from Netflix, but the sender domain is much different, then the message could indeed be malicious.
-
Check hyperlinks.
Users can usually verify the URL of buttons and links in the email by hovering over them (or checking the source info). Again, if the URL is for an unknown website, then the email may not be legitimate. Note, however, that many companies use third-party email senders, which may use unfamiliar domains. When in doubt, users should confirm with IT.
Go directly to the source
As a general rule of thumb, users should not have to click on emails at all – especially if they are suspicious about the content.
Instead, users should go directly to the account login pages by opening up their browsers. For example, if there’s an “account alert” email from Bank of America, the user should bypass the email entirely and go directly to Bank of America’s website. If there is no similar alert in their account, they should probably ignore and delete the email.
Start retraining ASAP
Don’t assume everyone will remember all this, even if the training was only a few months ago.
If your company is in the middle of a major transition because of COVID-19, now is the time to retrain employees. Make sure new employees are trained during the onboarding process, and consider conducting the training for everyone at least once a year. Throughout the year, send emails to employees to remind them of the most important tips for recognizing and avoiding suspicious emails.
Don’t forget to back up your data
Data backups are a vital layer of protection against data loss from malware, ransomware and other cyberattacks. Request a free demo of today’s best business continuity solutions to ensure your organization can quickly recover from a disaster.
For more information, contact our business continuity experts at Invenio IT: call (646) 395-1170 or email us at success@invenioIT.com.