There is one segment of our society that is busier than ever - the cybercriminals. The predicament that we currently find ourselves embroiled in is a perfect environment for the underbelly of the IT world to strike.
We are bombarded with information, mostly scary, by email, social media, TV and online, every hour of every day.
Most of the communications we receive about the pandemic encourage taking immediate action, and this is the language of Phishing attacks, for the sake of clarity, here is the definition of Phishing.
Most of us are working in an abnormal environment, from home (and it's getting more abnormal every day) away from colleagues and using tools that we are unfamiliar with, tools such as Microsoft Teams and Zoom, online training courses and webinars for example. We are probably working on our home PCs which don't have the same protections installed and whose software might not be as up to date as our office computers. This environment represents a perfect storm and makes everyone ripe for exploitation.
To quantify this threat - in March Phishing attacks increased by 67% and Ransomware attacks increased by a whopping 148%. Almost all of these attacks, 91%, are through Phishing emails - some of the more common ones from trusted brands like Microsoft or Zoom. Emails are purporting to be from our CEO, COO or HR Department telling us how and when the office will open up. Or ask us to complete a questionnaire.
Appalling emails pretending to be from Social Welfare or Revenue requesting we provide further information so payment will proceed - all with a sense of urgency and the potential loss of money.
Other particularly heartless scams are the fake Covid 19 messages pretending to be from the Government or the World Health Organisation - that mirrors genuine ones sent from these bodies, with advice on how to keep safe and a lethal link to a website for further information (infection).
Some frequent Phishing attempts include:
Invite to join colleagues or a customer in a Zoom or Teams meeting - it will look genuine and have a button to join the meeting, but once you click it, malware will download to your PC and then they've got you.
Emails from Microsoft advising you to click to update your software or advising that to keep your PC working or your Microsoft Office 365 account accessible you must take action NOW.
A very cynical one, when orders are so scarce, is a purchase order sent to a business owner or salesperson - who can’t resist the prospect of business in these tough times, so caution is often thrown to the wind and bang the bad guys win. Or a customer sending a file to you, which looks genuine but is, in fact, a piece of malicious code.
Life is hard enough at present, and you don't want to add to it by losing money or critical data to criminals. With attacks such as Ransomeware where they encrypt your crucial business data and files, and you have to pay a ransom to get them unlocked - can often close a business for good.
OK, enough of the bad news - what can we do to help avoid getting Phished? Well here are some tips and things to look out for:
When you receive an email, ask yourself, if it looks genuine?
Check the email address - many scammers will use an email address that looks genuine but isn't - example - an email usually from brian@route2.ie instead comes from brian@route2-security.ie or brian@route2.it. At a glance, they may appear legitimate, on inspection; however, you can see they aim to fool recipients.
Never click a web link in an email - if you hover your mouse over it (don't click) then the actual address appears in the bottom left of your window. If you want to go to that website link, then open a browser window and type the genuine link address in yourself.
Try to get into the habit of typing web addresses into the address bar of your browser and not Googling them. When you Google a company, the results may include a link to a fake website, one that ranks higher in the search results than the official company website and contains malicious code.
Check if the subject in the email and the content of the email body match up and if there are a lot of misspelt words and if the email is written in poor English, then be cautious.
Don't reply to the email asking if it is genuine; use another form of communication to establish its bonafides.
If asked to call someone in the email, check the number matches the one listed on their website.
Any email asking you to pay money into a new bank account should ring alarms.
Lastly and most importantly - get yourself and staff trained on how to spot phishing attacks.
Training is the best way to turn yourself and your team into Human Firewalls. It is a regime of testing, training and testing again.
To set up a free seven day trial with one of the worlds leading providers of Phishing testing and training entities - KnowBe4 - contact me here. This trial will allow you to see how susceptible your staff are to Phishing attacks and provide them with training to improve their awareness levels. It will also let you evaluate how well the service works and the benefits it offers.
With the criminals becoming more and more sophisticated in their attacks, you and your staff need to stay current in your awareness of the current threats in the wild.