In times of crisis, such as the ongoing coronavirus pandemic, there are people who behave in noble, admirable ways. These heroes lift less fortunate souls from difficult circumstances, stay positive and focus on doing the right thing, even when it’s a challenge. These exemplars of humanity’s best qualities are an inspiration to us all.
On the opposite end of the spectrum, we have the hackers who send phishing emails.
Not content with doing their best to ruin the internet during normal circumstances, phishers use crises as launch pads for all kinds of nefarious schemes. As an IT professional, you’re well aware of the risk that phishing poses to your organization, and you’ve no doubt communicated that to your team members on countless occasions.
But although this is less of a new threat and more of the same old threat wearing a wig and an eye patch, you still need to warn your team members about these reconfigured phishing efforts. You can start by explaining the risks of working remotely.
Remote Shouldn’t Mean Disconnected From Security Best Practices
If you’ve ever watched a nature documentary, you know that getting separated from the herd is bad news. A single wildebeest falls behind to check out an interesting patch of grass, and just like that, the lions are on them and it’s all over.
Similarly, cybercriminals try to isolate members of your organization through phishing. They know that many companies have employees working remotely now, and they may send communications designed to look like remote work instructions for a specific employee.
Because these are extraordinary times, an unusual email might not seem as out of place as it normally would. Make sure all members of your organizations know what official channels communications about remote work will come through and give them the details they need to distinguish legitimate company emails from phishing attempts.
How Phishers Are Using Coronavirus
In many ways, phishing emails are not unlike marketing emails on their surface. And, as with marketing, phishing comes with a call to action, a short enticement designed to get a user to click a link, which will often download malicious software. Some tactics to expect include:
Emails that look like they are from the Centers for Disease Control (CDC). Phishers love to play on emotion. They want to get members of your organization to panic just long enough to click on their email. Expect them to use subject lines like “An Urgent Warning From the CDC” or “CDC Update On COVID-19” or even a subtle one like “CDC Guidance for Businesses Working Remotely Due to the Coronavirus.”
Posing as coworkers asking for donations. These emails may appear to be sent by a member of your organization and could appear to be a link to a GoFundMe page, or a similar site, requesting donations for someone infected by the coronavirus. Urge employees to avoid sending these kinds of communications and tell employees never to open these kinds of emails, even if they appear to be legitimate.
Sending communications requesting private information for expense purposes. Many companies are allowing employees to expense equipment purchased for working remotely. Phishers are aware of this and may send communications requesting bank account information for reimbursement purposes. Make sure your employees understand your legitimate expensing process and that they know when and how your company will communicate with them regarding reimbursements.
Pretending to be you. Phishers may send emails that appear to be from your IT department. These emails may have subject lines like, “Regarding Your VPN Access,” or “A Technical Issue With Your Remote Connection.” Remember that many of your company’s employees will be working remotely for the first time. They might not know what legitimate IT communications look like. Explain your policies to them and use a consistent approach to communicating with employees, so they know what to expect.
Stay Ahead of the Bad Guys
Based on the examples above, it’s clear that phishers are willing to try just about anything to compromise your company’s security. Looking at all the potential avenues of attack may seem overwhelming, but with clear, open communication to employees, you can keep everyone on the same page and secure from phishing attempts.
Crafting organization-specific communications about phishing is certainly wise. But you can also direct employees to more generalized advice about avoiding coronavirus-related scams, such as this collection of tips from the Federal Trade Commission (FTC). The more employees know about phishing tactics and scams in general, the less likely they are to fall prey to them.
Above all else, be proactive about confronting the threats posed by coronavirus phishing. It’s the best way to thwart cybercriminals during this crisis and beyond.