COVID-19 has created a perfect environment for spear phishing attacks, and remote workers are low-hanging fruit for hackers. Amid lockdowns, hackers’ attention turned to the millions of employees working from home, coffee shops, libraries and just about anywhere who aren’t operating on secured company networks. Here, Matt Lindley, COO and CISO of NINJIO, advises employees to take extra precautions and stay cautious so that they don’t make themselves or their organizations vulnerable to a spear phishing attack.Â
Consider all the digital spaces where you feel perfectly comfortable sharing your most sensitive personal information. On your bank’s website, you enter your account number and password without a second thought; on dozens of retailers’ websites, you enter your credit card number on a regular basis; and so on. Many of our online interactions require trust, but this can lead to a sense of complacency, which makes us vulnerable to cyberattacks.Â
Hackers prey on their victims’ trust. One of the most common cyberattacks is phishing. Scammers send fraudulent emails or other digital communications to steal login credentials, financial information, or any other material that can be used to coerce or defraud a victim. Spear phishing is particularly effective because it relies on targeted (and often personalized) messages that are harder to spot as illegitimate, which is why it has become one of the most common cyberattacks ‒ particularly as millions of professionals continue to work from home.Â
Learn More: Amazon Prime Day: A High-Value Target for Phishing, Credential Theft
How and Why Spear Phishing Works
According to the most recent dataOpens a new window from the FBI’s IC3 Internet Crime Report, there were more victims of phishing in 2019 than any other type of cyberattack (which led to $57 million in losses). Crowdstrike foundOpens a new window that more than one-third of successful network breaches “began with a spear-phishing attack†in the same year. Why are these attacks so successful, and what does this tell us about thwarting them?Â
Spear phishing attacks often attempt to convince users that they have to take immediate action to avoid some undesirable outcome, such as having an account shut down or paying a financial penalty. For example, a spear phishing email may announce that your subscription to your favorite streaming service is about to be canceled if you don’t update your payment details. Some of these schemes are so elaborate that they take users to a fake landing page (complete with the company logo and a legitimate-looking user interface), which asks them to input their credit card number or other sensitive information.Â
These attacks play on many of our most basic vulnerabilities – the trust we place in the companies and institutions we regularly engage with; our susceptibility to threats and other forms of coercion (many hackers go well beyond streaming services and retailers by impersonating, say, the IRS or the Social Security Administration); and our curiosity about public health information, special offers, and other enticing forms of content. Unfortunately, with COVID-19 and the influx of remote work, hackers have a whole new set of weapons in their arsenal.Â
Learn More: Best Practices to Fight Phishing & Strengthen Cybersecurity in COVID-19 Era
Working Remotely Increases Cyberthreats
Working remotely doesn’t just change employees’ interactions with their colleagues, their schedules, and their work environments – it changes how they work. According to a recent Tessian surveyOpens a new window , 48% of employees report that they’re “less likely to follow safe data practices when working from home.†More than half of employees somewhat or strongly agree that they can “get away with riskier behavior†outside the office – a proportion that spikes to 59 % for employees between the ages of 18 and 30 and 62% for employees who are 31 to 40.Â
The survey found 72% of American employees say they’ve sent misdirected emails, while 82% have sent unauthorized emails. Among the employees who say they’re less likely to observe safe data practices while working remotely, half attribute this behavior to the fact that they aren’t using their usual devices. Slightly fewer than half say it’s because they have less oversight or too many distractions. These admissions clearly demonstrate that working remotely has a direct impact on employee behavior.Â
One of the most common attack vectors for spear phishing is email. Considering the number of employees who acknowledge that their email usage is irresponsible (and admit that they’re tempted to take greater risks when working remotely), it’s clear that hackers who use spear phishing have more opportunities than ever to infiltrate companies’ secure systems and create all kinds of havoc. This is why companies need to make cybersecurity a top priority as employees continue to work remotely for the foreseeable future.Â
Employees Are Fully Capable of Preventing Spear Phishing From Anywhere
According to a 2020 surveyOpens a new window conducted by Pulse Secure, phishing is one of the attack vectors IT leaders are most concerned about as employees continue to work remotely (more than two-thirds cite it as a top threat). Other major concerns include — the security of home and public WiFi, the use of personal devices, and company data being leaked.Â
But the “biggest security challenge†cited by IT leaders encompasses all of these issues— a lack of user awareness and training. It’s essential for employees to recognize that their use of security tools and practices such as VPNs, multi-factor authentication, and regular software updates must be consistent across devices. In fact, it’s all the more important for employees working from home to take extra precautions, as they aren’t on secure company networks and they don’t have access to on-site IT support.Â
Here are a few more ways to stay safe from spear phishing attacks while working from home:Â
- If possible, avoid using personal accounts and devices for work-related activitiesÂ
- Double check domain names, email addresses, and all other identifying information to ensure that you’re only visiting legitimate sites and interacting with real colleaguesÂ
- Confirm requests for information (especially if these requests involve money) by independently corroborating them with the businesses and institutions in question
- Be suspicious of communications that sound coercive or threatening, even if they appear to be from organizations you trustÂ
Employees should always remember that the most effective spear phishing attacks are designed to ensnare specific individuals and companies with highly targeted misinformation. This is why they should be on the lookout for suspicious communications of all sorts – particularly when those communications demand sensitive information or urge immediate action. Hackers want employees to click without thinking, but they can develop the opposite habit to keep their companies, themselves, and their families safe.
Let us know if you liked this article or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!