Phishing scams target remote workers

By Ed Bishop, Chief Technology Officer and co-founder, Tessian

As more employees work from home, people need to be even more vigilant when it comes to phishing attacks. Hackers love emergencies and times of uncertainty, because people are scared, distracted, and vulnerable. This makes them ideal targets for opportunistic cybercriminals looking to steal money, harvest credentials or trick people into installing malware onto their computers.

Businesses, therefore, need to ensure their employees are aware of and protected from the cyber threats. Here are some of the tactics that hackers are using to target people at this time – both at work and on personal devices – and my advice on how you can avoid falling victim to the scams.

• Posing as a third party

Businesses will rely on remote-working tools to ensure employees stay connected while working from home. Knowing this, hackers can impersonate popular web conferencing applications, by directly spoofing the domains, in order to trick staff into clicking links that will ‘activate their web conferencing accounts’, for example.

Always be less trusting of any email asking you to take an action. Look beyond the branding of the email or the display name and examine the full email address of the sender, and any URL, carefully. For example, does the URL look legitimate when you hover over the link? What’s more, your organisation should always send internal communications to let staff know they’ve implemented new tools or platforms. You shouldn’t be hearing about it from the third-party first.

• Impersonating the out-of-office boss

Attackers will also impersonate senior executives such as the CEO, the CFO, or the Head of HR, leading with messages that say “need to get hold of you. Please can you send me your personal phone number as I need you to do something for me” or “I’m having trouble logging onto our system, please could you action this payment?” Impersonating a person in power is a common tactic in social engineering schemes. And by working remotely, it’s harder for a person to verify if the request is legitimate.

In this case, ask yourself, “would I normally be asked to share this information or pay this invoice?” and “would a senior executive ask me to share personal information over email?” If you do receive such a message, I would also urge you to contact the person who requested you to do something – via an internal channel like Slack or an SMS – to confirm it was them before complying with any urgent requests.

• Impersonating a trusted institution

We are seeing a growing number of phishing attacks whereby hackers impersonate trusted institutions like the World Health Organisation (WHO), insurance companies and banks to trick people into clicking links to fake websites or downloading malicious attachments. These attacks might ask you, for example, to confirm personal details – which can then be used to try and access your legitimate accounts. The message might also include malicious links asking you to sign in and ‘confirm you are safe‘ or ‘confirm you haven’t travelled to recent affected COVID-19 countries‘.

If you’re ever unsure, do not click the link, download an attachment or comply with the request. Search for the institution online and find a support contact number, so that you can ask them to confirm whether the communication is valid. Remember, all valid email correspondence from WHO will come from @who.int, not any other variation. And like many other organisations, WHO has stipulated they will never send unsolicited emails containing attachments.

• Taking advantage of unfamiliar environments 

Working from home can be an unfamiliar environment for many employees. We are using smaller screens as we rely on our laptops and mobiles, and many people will be working in homes shared by others, be it housemates or family members, so there are bound to be new distractions. This increases the likelihood of people making mistakes at work. Hackers will be banking on this. So be careful and take an extra minute to check the legitimacy of an email, verify the identity of the sender, and consider whether their actions are putting sensitive or personal information at risk.

During these uncertain times, it’s important that businesses advise customers and employees on the threats on email they could be exposed to while working remotely. People need to know what they will and will not ask for via email, phone, or text so they can understand if something is out of the ordinary. Remind employees about best security email practices, and ensure these security measures are put into place in both their working and personal lives to avoid falling for the scams.