This article is part of our ongoing coverage of the fight against coronavirus.
As the world scrambles to deal with the coronavirus (COVID-19) pandemic, social distancing is the best solution we currently have at our disposal to contain the spread of the dangerous virus. For most organizations, companies, and government agencies, this means they must recommend or instruct their employees to work from home and avoid congregating at offices, where they risk becoming exposed to coronavirus contamination.
But while remote working provides much-needed protection against COVID-19, it will also open a Pandora’s box of cybersecurity and privacy threats. Among the growing threats are phishing scams, social engineering attacks that trick their victims into downloading malware or revealing sensitive information.
Attackers usually take advantage of chaos and confusion to make their phishing emails look more convincing. And the coronavirus crisis is one of the most confusing times we’ve been going through in the past decades, creating the perfect storm for phishers.
According to Barracuda Networks, phishing attacks have seen a 667-percent surge from February to March, as the coronavirus spread took on pandemic proportions and many countries are imposing city-wide quarantines and lockdowns.
Here are a few tips to stay safe as you adjust to your new work environment and culture.
The COVID-19 lockdown has made you a more valuable target
Before considering your own security and privacy threats, you need to look at things through the eyes of the attackers. Cybercriminals are always preying on unwary users, tricking them into clicking on malicious links or downloading malware-infected attachments. But in general, attackers go after targets that provide the most value and are easier to target.
Previously, attacking you in your home would provide hackers access to your personal documents, home security camera feeds, and smart home devices.
But with home networks becoming professional work environments during the coronavirus lockdown, cybercriminals have a much bigger incentive to target them. Now, breaking into a home network can potentially provide a gateway for hackers to steal valuable business data or gain a foothold into the remote work network.
Therefore, the first security preparation measure for the COVID-19 work-from-home is to acknowledge the reality that you’ve become a much more valuable target.
Beware of coronavirus-related phishing attacks
Any email that claims to provide COVID-19-related information should be eyed with suspicion. Things such as news about the coronavirus cure, or a downloadable guide to avoiding contracting the virus are perfect guises for phishing attacks. Be very careful of such emails, especially if they contain attachments or external links.
Don’t forget: Your main source of information about COVID-19 should be official bodies such as the World Health Organization or your national health authority, such as the CDC or the NHS.
But you should exercise caution even when dealing with official sources.
Earlier this month, security researchers at Sophos spotted phishing campaigns that impersonated WHO officials. One email claimed to provide safety measures against the novel coronavirus. The email contained a link to a clone of the WHO website, but which contained an extra detail: It asked for your email password.
Security Tip: A public information website should never ask for your email password. At most, they might ask for your email address to send you newsletters. In these trying times, my general advice is to directly get your information from the WHO coronavirus page instead of cliking on email links.
Another phishing attack was targeted at Italy, where the infection and death toll have been alarmingly high. The email contained a message that apparently came from an Italian WHO urged the users to download the attachment, a Word document that contained ransomware, a type of malware that encrypts the files on your computer and keeps you locked out until you pay a ransom to the attacker.
Hackers often hide their malware in macros, bits of code that run in MS Office documents. The threat has been so severe that Microsoft introduced macro-less documents (.docx, .xlsx, .pptx, etc.) and disabled macros on all Office applications by default. But the attackers try to trick the recipients into disabling Word’s security features to run the macros and encrypt their files.
Another phishing campaign discovered by IBM used macro-embedded attachments in emails that purported to provide COVID-19-prevention tips to spread a known trojan that steals information from users.
Security tip: Official organizations usually send their public statements as PDF files. It is a universally adopted format and most devices and operating systems can view it by default. Organizations seldom use Word documents to broadcast information, and they almost never use old-fashioned macro-embedded files. So, whenever you see a Word attachment, consider it a red flag. Again, if WHO seems to be sending a general statement or document to you, there’s a very likely chance that they’ve also published it on their website. It might take you a few minutes to search the WHO website for the document, but you’ll be much safer.
Phishing attacks targeted at remote workers
Campaigns specially targeted at remote workers and students is the new trend of phishing attacks during the coronavirus lockdown.
There have been several cases where students have received emails that seemingly came from university officials and claimed to provide updates about the coronavirus lockdown. The emails prompted users to click on links that redirected them to websites that required the entry of university login information.
In one case, discovered by Abnormal Security, the attackers were impersonating a university’s board of trustees to lure users to a website that stole their credentials.
Other phishing scams prey on employees who are just getting started on remote work. One campaign discovered by security vendor Cofense pretended to come from the human resources department of a company and prompted the recipient to click on a link and enter their credentials to enroll for a remote work program. The email also stated a deadline to create urgency.
Other emails claim to come from IT staff and prompt users to install software or provide their work application credentials.
Security tip: Be very wary of any work-related email you receive, especially if it seems to come from a very general source such as a department or someone you don’t personally know. If it asks for information or asks you to click on a link, be even more suspicious. There are always ways to verify such claims. For instance, you can call the department or person in question by phone or through your collaboration messaging tool (Teams, Slack, etc.).
Strengthen your account security during the coronavirus lockdown
Phishing capitalizes on human error, and at the end of the day, any of us might fall victim at some point. While we’re still dealing with the confusion of the coronavirus lockdown, here are some general security tips that will add to your layers of defense against phishing scams:
- Enable two-factor authentication (2FA): Most online applications, including corporate services, support two-factor authentication. 2FA requires users to provide an extra token of ownership (mobile app, physical key, fingerprint, etc.) when logging in from a new device. With 2FA enabled, even if a hacker steals your password, they still won’t be able to access your account because they don’t have the 2FA token.
- Keep your endpoint security tool updated: Make sure you have a reliable antivirus. Security companies are constantly updating their malware signatures to spot and block new strains of malware that are appearing every day. Most popular antimalware tools also provide web and email protection and can help you in spotting phishing emails.
- Promote the security culture: Share these tips with your colleagues and coworkers. Like the coronavirus, security is also a team effort. A single careless person can compromise the security and safety of everyone.