With working from home now a deeply entrenched part of our 9-to-5 lives, we’ve had to become accustomed to a new set of challenges – from ensuring we stay productive to making our work/life balance more distinct. One area that we may have ended up neglecting, however, is our approach to cybersecurity.
At the beginning of the coronavirus pandemic, and the resulting shift to working from home, many businesses may not have taken the time to educate their employees on proper security protocol. Amidst the confusion and disarray, we’ve seen a large surge in the number of phishing attacks, with scammers taking advantage of weak links in a business’ security provision.
And, it’s perhaps easy to see why: employees across the globe have moved from the trusted, secure networks of their office to remote locations. As these networks broaden across locations, it makes them more difficult to secure, giving cybercriminals the opportunity to exploit vulnerabilities.
So, while we socially distance ourselves from each other, it’s crucial that we shield our work networks from scams, cyber attacks and phishing scams too. Here, we’ll offer IT leaders – and employees themselves – some practical advice for safeguarding their operations during these challenging times.
- What is a phishing scam?
- How can you prevent phishing attacks while working from home?
- What is delayed phishing?
Although IT leaders will be well versed in what constitutes a phishing scam, it’s important that everyone stays educated on this matter. Employees may have heard the term before but may not necessarily know what phishing entails. As a leader, it’s a good idea to inform the rest of the company as to its definitions, so they know what it is they’re supposed to be vigilant of.
As for a basic definition, let them know that phishing is a type of cybercrime whereby an individual is contacted by someone pretending to be an institution, organisation or individual to get confidential information about them. Such information includes passwords, banking details and personal data, which is then used to access the accounts of the target – often leading to significant financial losses. When targeting businesses, such attacks can also lead to the loss of sensitive company information.
Traditionally, phishing scams happened over email. However, the means with which cybercriminals carry out their attacks have developed. Lately, there has been a rise in the number of phishing scams carried out via text message (smishing) and phone calls (vishing), so make sure your colleagues don’t fall foul of these instances either.
Know the telltale signs of a phishing email
Make sure your staff are kept abreast of what a phishing email looks like. Often, there are several giveaways that instantly expose a phishing email for what it is, including:
- Poor spelling, grammar and punctuation: Often originating from overseas, if the grammar and spelling of the email you’ve received are sloppy or substandard, then take note. Likewise, if any of the logos or graphics contained within are low quality, then it’s probably not been sent by the organisation they’re purporting to be.
- Who it’s addressed to: Is the email actually addressed to you, or have they referred to you as “dear customer”, “valued friend” or some other disingenuous term of address?
- Veiled threats and/or overly pushy tone: If there is an odd sense of urgency to the email, it’s because the attacker wants you to act without thinking in response to time-specific requests. This is done so you provide information without properly checking the links, attachments and files contained within the email or text.
- Unfamiliar links: Think twice before clicking on a link contained in a suspicious-looking email. If you’re unsure of its contents, then hover over the links before clicking on them and read the actual URLs they’re pointing to. Are they going to take you to a URL you don’t recognise? Stay on the safe side and don’t click it.
- Unusual requests: If someone is suddenly asking you to send a wire transfer, then it’s probably a scam – especially if it’s from someone you know. Similarly, look out for emails from senior members of staff that seem out of character. Get in touch with the actual person and verify whether the email is real.
Be mindful of the texts you receive
If your work-related texting has increased as a result of working from home, then watch out for SMS-based scams that attackers are taking advantage of. Clicking the links contained within leads to malware being installed on employees’ phones, with the stored information ripe for the picking as a result.
To protect against this, encrypted messaging apps that provide end-to-end encryption for work-related communication can be used instead. Additionally, setting up specific protocols for work-related texting can help here too – not texting passwords or other sensitive information, or never sending files via text, for instance.
Keep your VPN turned on
Short for virtual private network, a VPN protects the data you send and receive whilst working remotely, providing a secure link between employees and businesses by encrypting data. It’s important, therefore, that you always keep your VPN turned on. They stop cybercriminals from seeing what you do during your core business hours, which more often than not includes sending or receiving financial information, strategy documents and customer data. A VPN ensures that such information is properly protected.
Use a password manager
It’s best practice to have a password manager in place anyway, but perhaps more so for when working from home. They keep all your accounts safe by storing difficult-to-guess passwords for you. This ensures that employees don’t keep using the same passwords for multiple accounts. Additionally, many password managers allow administrators to set policies which require passwords to be of a certain complexity and length, and to be updated after a certain amount of time.
An emerging threat that users should be aware of, delayed phishing involves luring the target to a fake site using a technique known as Post-Delivery Weaponised URL. This method replaces online content with a malicious version after the delivery of an email linking to it. As a result, this fools algorithms, who find the URL in the text, scan the linked site, ostensibly see nothing dangerous there, and allow the message through.
After the delivery – and typically before it’s been read – the attackers change the message links or activate malicious content on a previously harmless page. The new content could be a malware attack, but usually it’s a phishing site.
This means we have to be especially vigilant of content that may look innocent enough. As well as the tips we mentioned above, rescanning the inbox is usually the best method. If your business uses a Microsoft Exchange email server then this is doable. Kaspersky Security for Microsoft Exchange Server supports mail server integration, allowing for the rescanning of messages already in mailboxes. When properly configured, the scan time ensures detection of delayed phishing attempts without putting undue stress on the server during peak mail times.
CDL is one of the UK’s leading IT disposal companies, working to help private and public businesses and organisations safely retire and recycle their outdated IT assets. To find out how we could help your business, or more of the latest tech news and advice, visit our homepage or call our team today on 0333 060 2846.