With the coronavirus pandemic consuming attention and companies focusing on implementing safety, readiness and response measures, a surge in potentially harmful phishing scams has emerged. As organizations manage a host of coronavirus-related challenges, they may drop their guard or unknowingly implement policies that increase the risk of suffering an attack.
Unfortunately, criminals often attempt to take advantage of disaster scenarios to exploit lapses in protections and controls. These criminals use social engineering tactics to prey on a variety of emotions to manipulate people, attempting to exploit fear in this scenario.
Currently, we are seeing two grades of attacks. The first is fairly low-grade, with hackers sending deceptive emails with no target in mind, pretending to be the PHAC, Red Cross or other entities tied to coronavirus information to trick users into clicking on links and attachments that infect systems and steal information.
However, a new level of attacks targets individual companies, presenting fake coronavirus alerts or guidance that looks like it is authored by specific members of organizational leadership, often from the C-suite. By using a familiar name or face, these attacks have a much higher success rate.
Further complicating the issue, many companies have understandably sent employees home to work remotely, but the same level of security controls and protections often doesn't extend to home networks.
To mitigate these risks, midsize companies can take three important steps to safeguard against these emerging phishing scams:
1. Get in front of the issue by communicating the risks
Organizations must be front-running when faced with these scams, creating proactive communications about how they will distribute critical alerts and information. Leadership should detail how they will communicate, cover what would and would not be requested from employees and stress the importance of going to official company communication channels regularly for updates and to validate any suspicious information.
2. Make it personal
The risks to company data and information also extend to personal networks. Emphasizing how predators are lurking with threats to companies as well as family communications will likely garner more attention. Employees will get the point in terms of company data, while also appreciating the encouragement to act regarding personal data.
3. Communicate and evaluate remote work security policies
Companies must ensure they have communicated the rules and risks of working outside the corporate environment. In many cases, security protections and firewalls that are in place inside the office simply don’t protect devices that access the network remotely. In many cases, companies will need to consider network or security changes to equalize security protections inside and outside of the office.
As coronavirus fear and uncertainty increases, hackers will continue to try to exploit companies with phishing attacks. By spreading awareness of the potential threats, communicating how they may extend into personal affairs and making necessary adjustments to security policies to account for increased remote work, companies can go a long way toward better protecting themselves against emerging and persistent phishing risks.