It seems that no matter how other areas of technology evolve, phishing scams remain the biggest threat to cybersecurity. They are so popular, and dangerous, because they rely on getting past a human, and humans can make mistakes.
Phishing is involved in 78% of cyber-espionage incidents and 32% of confirmed data breaches. Phishing is also dangerous because it easily morphs to take advantage of the current crisis event or news of the day.
The most recent subject for phishing campaigns is the COVID-19 outbreak, and several types of emails have been spawned from that theme. All of them have a similar goal of getting users to compromise login credentials or click a link to a site that injects malware into their device.
In less than a month, phishing emails have increased 667% due to the coronavirus pandemic.
If you have employees that are now working from home due to the coronavirus, they could be doubly at risk, because of their isolation from coworkers.
For example, when an employee is at their desk at the office and sees an email that they’re not quite sure is legitimate, they’ll often ask a colleague (or two) at the next desk for their input before clicking on anything. Having more than one eye on a phishing email can often help the recipient catch the scam.
When that employee is working from home instead, they don’t have that colleague beside them to ask. They may make the wrong decision and accidentally inject their work device with malware or put their login credentials into a spoofed Office 365 login page.
Security awareness training on emerging threats and how to avoid them is vital to securing your remote workforce.
COVID-19 Phishing Scams to Watch For
There seems to be no lack of imagination when it comes to the types of scams being used based upon the coronavirus pandemic. Here are some of the biggest to make your employees aware of so they’ll be able to spot them.
Company COVID-19 Policy
This scam involves an email that purports to be from the company’s HR department and can even use the company name in the email. It asks employees to review a new policy related to the outbreak by a certain date.
As with all phishing scams, the link will take the user to a malicious site.
Map of Coronavirus Outbreaks in Your City
Another dangerous COVID-19 phishing scam is an email that uses the World Health Organization logo to fool the recipient. The email pretends to provide a “map of the outbreaks in your city” and includes a link for users to click.
Fake Stimulus Email
Many countries, Australia included, have planned economic stimulus packages to help their citizens in the wake of the outbreak.
The ink is barely dry on those deals and scammers are already taking advantage by sending out phishing emails claiming to give people more information about how to get their stimulus money or directing them to sign up to receive their check.
“Doctors” Offering Medical Advice
One phishing scam going around preys upon the fear people have of contracting the virus. It pretends to be sent from a doctor of a well-known health organisation and offers suggestions on how to keep yourself safe from contracting COVID-19.
Like the others, it includes a link for users to click that will take them to a malicious website.
Teaching Remote Employees to Avoid Phishing Attacks
User awareness training of how to spot and avoid a phishing attack is just as important now as it ever has been. Teach your employees to use the following tactics to avoid becoming a phishing victim.
Get a Second Opinion on Any Unexpected Email
Even if an employee is working from home, they can still reach out for advice on a questionable or unexpected email. Encourage them to connect with colleagues through a cloud application, like Slack or Teams, or use your remote IT support for advice before taking action on any questionable or unexpected email.
Don’t Click Links, Hover Over Instead
Phishing scammers will often use text that hides a true URL. By hovering the cursor over the link without clicking, employees can reveal the real link and many times this immediately reveals the email to be a scam.
Go to Websites Directly
If you receive an email that says it’s a map from the World Health Organization about COVID-19 cases, don’t click that link. Instead, go to the website for that organization directly, so you know you’re on a legitimate site. If they truly have a map, you’ll be able to find it there while avoiding the phishing scam.
Double Check Spellings, Grammar, etc.
Although phishing emails have become more sophisticated and many don’t have misspelled words or grammar mistakes, they can still occasionally be a giveaway.
A more common misspelling to look for is in a URL or email address. For example, one scam purporting to be from the Gates Foundation uses info@gatesfonudation in the “sender” email line. If you’re just glancing over that address, the mistake could be missed, but if you look carefully, you’ll see it’s not the true domain, it has a misspelling in the URL.
Backstop Your Employees with Advanced Email Protection
Keeping phishing out of user inboxes in the first place can greatly reduce your risk of a data breach. Connected Platforms can help you put this into place and improve your IT security for workers in the office or at home.