Cybercriminals are taking advantage of the vulnerabilities introduced by organizations forced to rapidly move employees to a virtual workforce model and the resulting greater reliance on the internet.
Google reports the number of active phishing websites has increased from 149,195 in January to 522,495 in March. That’s an increase of 350 percent since the beginning of the year!
Cybercriminals are nothing if not resourceful, and many are jumping on the bandwagon. Why bother going to the trouble of attacking a network when an employee or executive will open the door for you by simply clicking a link in an email that takes them to one of these 522,495 nefarious websites?
In fact, email has become the most popular way for cybercriminals to attack businesses and private individuals through a technique called phishing.
What is a Phishing Attack?
Phishing is an attack that uses email or a social media platform to trick the user into opening a link or an attachment. It can also be used to fool them into entering passwords or personal information on a fake website designed to look legitimate.
Avertium recently published an article giving examples of some COVID-19 phishing scams to watch for that feature bogus offers for vaccines, free tests and the like.
Phishing scams extend beyond the COVID-19 theme under the guise of various circumstances to prey on people distracted and stressed by the current situation.
For instance, you might get an email that appears to be from your bank, stating that your account has been compromised or suspended. The link might lead to a fake login screen, using the bank logo, where you enter your credentials and password. This instantly provides thieves access to your real bank account.
Phishing Attack Indicators
In most cases, just reading an email or message won’t hurt you. For a phishing attack to work, you must be tricked into performing an action. Therefore, it’s important to watch for the signs that a message is an attempt at phishing.
Here are the most common indicators:
- The email demands immediate action before something happens like closing your account or subjecting you to fines
- You receive an email that entices you to open an attachment such as a letter from the IRS threatening prosecution or details of unannounced layoffs at your company
- The email requests sensitive personal information such as passwords or account numbers
- The email is supposedly coming from an official organization but uses a personal email address such as @yahoo.com or @gmail.com
- The email contains spelling errors or bad grammar
- The link in the email appears to take you to another site not connected to the organization
- You receive a message from someone you know, but it does not sound like them and contains a strange link
Related reading: Remote Workforce Security: 4 Best Practices
What IT Can Do to Protect the Organization
Moving your workforce to a virtual office model is essential during the pandemic. It’s more important than ever to stay vigilant and watch for nefarious activity. To protect your employees and your organization from the increased phishing scams during COVID-19 and beyond, do the following:
- Train your employees to spot the warning signs, notify IT of any suspicious emails or messages and delete the correspondence.
- Guide employees to access information by going directly to a trusted website to find the data.
- Build a safe security culture so employees feel comfortable to notify IT immediately without fear of recourse if they do click on a link.
- Test your workforce regularly, analyze the results and educate employees accordingly.
Never be a soft target. Show those cybercriminals who’s boss by downloading our incident response (IR) ebook. Show No Weakness.