Phishing has always been a risk to employees and businesses, but like every other part of our lives, COVID-19 has impacted it as well. Cyber criminals have kept up with the times and are creating targeted attacks with content relevant to remote workers and our collective fear surrounding the pandemic. This blog will explain how phishing attempts have changed due to COVID-19 and what a common form of cyber attack called ‘spear phishing’ is all about.
The History of Phishing
Phishing is a term coined around 1996 by hackers stealing America Online accounts and passwords. The term is an analogy for Internet scammers using lures online, and setting out hooks to ‘fish’ passwords, credit card information, and data from the ‘sea’ of Internet users. It is typically done through email, instant messages, or popups on webpages. Often times it can appear completely legitimate and trustworthy.
Remote Workers at Risk
A recent study done by a cyber security company TerraNova security found that in 2020 more users were caught by phishing scams. This study was conducted in a simulation with emails and webpage templates that reflected real-world scenarios, especially targeted to those working remotely. The templates measured phishing behaviours including clicking on suspicious email links and submitting data using a webpage form. The results found that an increasing rate of users would have compromised their data if the simulation been real. Almost 20% of employees clicked on phishing email links which was an increase from 11% in 2019. The study was conducted in 12 different languages from 28 different countries around the world. Read more about the study and TerraNova Security here.
COVID-19 Impacts Phishing Attempts
2020 was a year of tumultuous change and accelerated digital transformation for companies. These shifts also increased cyber threat risks because cyber criminals took advantage of the volatility with targeted phishing attacks. Cyber criminals leveraged fear and uncertainty in their messages to trick users. According to Zscaler, a cyber security company, there was a 30000% increase in phishing, malicious websites, and malware targeting remote users between January and March of 2020. Yes – 30000% – this is not a typo! The number of COVID-19 spear phishing attempts also increased by 667%. You can read more about their findings here.
What is Spear Phishing?
According to the Canadian Anti-Fraud Centre, one of the most common and most dangerous attack methods is called spear phishing. Fraudsters will take their time to collect information about the intended target, so they can send convincing emails from a trusted source. They will use a tactic known as spoofing where the sender’s address appears to be the actual email address of the source they’re pretending to be. These scams target businesses or individuals and can be done over email, text, phone, and fax. There are several variations of this type of phishing including business executive spoofs, existing employee spoofs, or the supplier/contractor swindle.
Business Executive Spoofs
When the email appears to come from a high ranking official in your company they could request gift cards for employee rewards, a birthday or just a direct wire transfer.
Existing Employee Spoofs
A scammer sends an email that appears to come from an existing employee in your company. If the email appears to come from someone in payroll, they could request a change to the employee’s direct deposit information. This tricks the company into depositing the employee’s paycheque into a fraudulent account. Another related scam targeted to remote workers is when the cyber criminals pose as your company IT department with an email about your VPN.
A scammer targets a business with an existing relationship with a supplier, wholesaler, or contractor. They send a spoofed email informing the business of a change in payment details. The email provides new banking information and requests that they send the future payments to the new account.
Help Your Organization and Employees Avoid Attacks
There are many uncertainties with COVID-19 and businesses are striving to find new ways to ensure their employees’ data remains protected no matter where they work. Distributed virtual offices have lessened the effect of technical data protection measures and put employee’s ability to detect phishing scams under a microscope. There are a few ways you can stay cognisant of the heightened risks of phishing attacks amid COVID-19…
- Stick with reputable sources for COVID-19 information
- Be wary of requests for emergency funds via email (call the sender to confirm, even if it appears to be from a known contact)
- Look at the language used in the email and be wary of unusual requests that do not follow internal procedures, request confidentiality, use pressure or a sense of urgency, or include unusual promises of reward.
- Do not open links or attachments from unknown sources
- Do not provide personal information online
- Enable two-factor authentication
- Apply security updates to your operating system and computer
- Activate SMS/email notifications for any financial transaction
What Should You Do When You Receive Spam?
After following these suggested methods to protect yourself online, you can also report any suspicious emails to your company’s IT department and the Canadian Anti-Fraud Centre. The best thing you can do is trust your gut feeling if the email or text message seems off to you. It’s more important than ever to stay vigilant about your online security and stay skeptical when faced with suspicious emails.
Get Started Today!
Execulink understands the importance of providing a secure Internet connection for your business. To stay connected, learn more about our Business Internet options by visiting our webpage. If you’re working from home, consider Execulink’s residential Internet options! Qualify your address, give us a call at 1-866-706-1942, or send us an email at firstname.lastname@example.org. Whether you’re looking for faster Internet speed options, or unlimited usage, we have the services you and your business deserve.