The ongoing threat of COVID-19 has drastically changed the business landscape. The sudden shift in circumstances has increased the attack surface and presented an abundance of new security challenges for organisations.
During this time of uncertainty, cybercriminals have been quick to take advantage of the situation, which has led to a surge in phishing attacks.
According to Google, scammers are sending 18 million Covid-19 related emails to Gmail users every day in an attempt to persuade victims to download malicious software, steal sensitive information, or donate to fake causes.
The Office of National Statistics (ONS) has reported 14.2 million people (44% of the total number of working adults) have worked from home during the coronavirus pandemic.
The rapid transition to remote working meant that many organisations were unprepared for a remote workforce for such a sustained period. It is well recognised that phishing thrives on isolation, uncertainty and periods of change and as a result, the pandemic has created the perfect storm in which hackers, scammers, and spammers can exploit the public.
In a recent survey conducted by Threatpost, 40% of companies reported seeing an increase in cyber attacks as they enabled remote working.
Phishing Threats and Working From Home
Remote working is drawing more cyber security threats for a few reasons, including:
- More people are using home networks, which are likely to be less secure. As such, IT departments cannot closely monitor and safeguard employees’ online behavior when they work from home.
- For many employees, the COVID-19 crisis has been the first time they have worked from home for a lengthy period of time. Cybercriminals know these individuals are more vulnerable because of their lack of familiarity with safe work-from-home practices.
- Cybercriminals are viewing the current situation as a chance to take advantage of remote workers. Malicious cyber actors are continually adjusting their tactics to take advantage of new situations, and the COVID-19 pandemic is no exception.
Increased home working is likely to be here for the foreseeable future, even after the current pandemic related emergency measures. However, with some organisations preparing to phase back into the office environment, uncertainty will continue to be a significant factor. As such, it’s vital that employees understand the crippling consequences phishing attacks can cause, as well as how to protect themselves and their organisation from phishing threats.
How Phishing can Damage your Business
Data breaches from a phishing attack can cause devastating financial losses and damage an organisation’s reputation for years. According to IBM, the global average cost of a data breach has risen to a staggering $3.92 million.
From lost business to regulatory fines and remediation costs, data breaches have far reaching consequences. A successful phishing attack can result in:
- Identity theft
- Theft of sensitive data
- Theft of client information
- Loss of intellectual property
- Financial theft
- Unauthorised transactions
- Reputational damage
- Credit card fraud
- Installation of malware or ransomware
- Access to other systems
- Data sold to third parties
How to Prevent a Phishing Attack
Identifying a phishing email has become increasingly difficult as cybercriminals have honed their skills and use a range of socially engineering tactics to convince the recipient to click on a malicious link or provide personal information. Today, phishing attacks are more targeted and sophisticated than ever before.
As employees prepare to return to the office, recent campaigns have seen cybercriminals launch attacks which exploit workers anticipating updates from their employers about returning to the workplace.
By encouraging users to act quickly and by provoking curiosity and fear, some studies have shown the click rate on phishing attacks has risen from less than 5% to over 40% with coronavirus scams.
According to Intel, 97% of people around the world are unable to identify a sophisticated phishing email. Despite the convincing nature of these emails, there are still some tell-tale signs that may alert us to the presence of a phishing email.
- Never click on links or download attachments without confirming the source.
- Double-check the sender’s address to ensure it’s coming from a legitimate source.
- Always double check the webpage’s URL before signing in and never log into sites by following a link in an email. Despite seeming perfectly legitimate, if the URL does not match the address displayed, it is an indication that the message is fraudulent and likely to be a phishing email.
- Always take time to think about a request for your personal information, and whether the request is appropriate. A reputable company will never send out an email to customers asking for personal information such as an account number, password, pin or security questions. See our resources on how to spot a phishing scam.
- Ignore and delete emails with unexpectedly poor grammar and formatting. If you spot any spelling mistakes or poor grammar within an email it is unlikely to have come from an unofficial organisation and could indicate the presence of a phishing email. Learn more about the characteristics of a phishing attack.
- Phishing attack messages that have the highest response rates are often related to time-bound events. Cybercriminals will often use a sense of urgency to encourage recipients to react immediately. If you are unsure if the request is legitimate, contact the company directly via their official website or official telephone number.
- Be cautious of unexpected email messages. Always take a moment to think « am I expecting this type of request? » If it looks suspicious or too good to be true, then it probably is.
Why Phishing Awareness is Important
As cybercriminals increase their efforts to exploit the public, awareness is the most powerful weapon against these evolving threats and techniques.
Scammers will be quick to take advantage of any lapses in security, and organisations should continue to empower and educate employees to remain vigilant. Cyber Security is everyone’s responsibility, and with so many potential attack points, the key to improving security is to create a culture of cyber awareness.
Create a More Security Conscious Workforce
Cyber Security Awareness for Dummies acts as an indispensable resource for implementing behavioural change and creating a culture of cyber awareness.
In this guide, you will learn:
- What Cyber Security awareness means for your organisation
- How to implement a cyber risk awareness campaign
- The critical role of policies to establish safe baselines
- How to maintain momentum and staff engagement
- 10 Cyber Security awareness best practices