To every phishing attack there is a season. And since scam artists love a disaster, right now phishing is fine during pandemic season.
Take a look at a couple of headlines, from just this past month.
From CNN:
Beware of these fake text messages and robocalls going around about the coronavirus
From CBS News:
Stimulus check recipients a target for scams, officials warn
Phishing exploits pose a greater threat to business today than they did before the coronavirus arrived. When we were back in our offices, we had the systems, firewalls, protocols and people that monitored and protected our employees from exploits (and sometimes from their own mistakes). Even with all the protection, some phishing attacks made it through. Security teams, like mine, know phishing is one of the major reasons an organization gets compromised. And we know that now, with your employees at home, possibly using public networks for their work connections and their email, an important layer of protection no longer exists.
I read about new phishing exploits all the time: N95 masks, cheap hydroxychloroquine, tests, cures and vaccines. And once the stimulus was announced, the attempts began to include efforts to get hold of individuals’ stimulus payments. Now, ransomware has reared its head: "I know where you live. If you don't pay me so much in Bitcoins, I'm going to come and infect your house."
The coronavirus will move and shift its shape and rise and subside over time. The phishing exploits will keep in steady step with it, every step of the way. And don’t expect the threats to end the day we head back to work. Even though when that happens your employees will be safer with all the protections you have in place for your business, they’ll still be vulnerable and need to be on alert.
The (very) good news is that—mirroring our response to the virus itself—we can all protect ourselves with basic technology hygiene, on two fronts:
- Transfer all the protective gear on your corporate networks to the home environment. If you can, require your employees to connect directly to your corporate network with a VPN or whichever method you use. Please don’t think it too late: it’s certain the phishing attacks are going to increase before they stop.
- Communicate to your team with reminders about the basic care they have to take when getting ready to click on an email or text or social post link. Know the sender. Check the link URL. Take it as a matter of fact that nobody credible is going to pitch face mask purchases, or COVID-19 cures, or vaccines over email.
The attackers are relentless, and you and your team—whether in the office or at home—need to be equally relentless in your diligence and care handling the influx of messages to your emails, SMS accounts, phones, Facebooks and more. You can’t stop attackers, but with the right mix of strong technology and smart behavior, you can keep the door shut on them.