Don’t take the bait on phishing attacks

Whether you’re a work from home veteran or a newcomer in the wake of COVID-19, this guide is for you.

Millions of people worldwide are working from home due to office closures, social distancing, and stay-at-home orders. As businesses begin plans for re-opening, many are expecting significant increases in their numbers of permanent remote workers. Whether it’s long-term or “just for now” remote work, there’s elevated concern for online phishing that could lead to compromised personal and corporate security.

Contents

1. How does Phishing work?
2. How can I recognize phishing attempts?
3. Can I prevent phishing?
4. What can I do if I’ve been phished?
5. Steps for Business Owners and Management
6. COVID-19 related phishing + scams

How does phishing work?

Phishing is primarily done via online communications (think: email, chats, pop-ups, forms, etc.), but can also be conducted through phone calls, text messages, video chat prompts, or other forms of technology. The primary purpose of phishing is to extract personal and/or confidential information from the target, which can then be used for a variety of illicit or harmful activities.

Example 1:

Jane receives an email asking her to reset a bank password. She clicks the link and is asked to provide her current password and user account to make the change. Jane didn’t notice the email wasn’t really from her bank and has given her banking credentials to a stranger.

Example 2:

Mark receives a text message alerting him that the CDC has identified him as someone who has been in contact with a COVID patient. He’s asked to provide his social security number and other identification information to ensure the text has reached the proper recipient. Mark does not realize that by doing so, he has provided a phisher with enough information to steal his identity.

Example 3:

Sam receives an email from their CEO explaining that there is a problem with the payroll system, and that they’ll need to provide a bank account and routing number to receive their paycheck this week. Sam doesn’t realize, until it’s too late, that a phisher has taken the banking information to transfer funds electronically.

Example 4:

Aran sees an advertisement that appears to be a new update regarding the recent COVID statistics from his local news source. It asks for an email address, where it sends information about the virus and a link to a live-updating map. Aran doesn’t realize the link wasn’t legitimate. It installs malware onto his computer, creating hidden access to all of his data and online behaviors. This malware could even use his computer to infect others or to generate more phishing attacks from his own accounts.

How can I recognize phishing attempts?

Phishing attacks evolve in their creativity and vary in range from the obvious to the artfully subtle. There are a few things you can check when you’re unsure, but our advice is to treat any request for information as a direct attempt to fish for critical information.

1. Check the sender. Less sophisticated phishing attempts will use a sender name that you’re familiar with (such as a relative or utility company in your area), but the email address will be wrong.
   
   Tip: Don’t reply. It’s likely an automated inbox that tracks whether a person responds to see if they’re a good target for more phishing.
   
   
2. Incorrect logos or branding. These are easier to spot in poorly made phishing attempts. The logo could be in a strange place or could be an old logo. Phishing emails often look just a bit “off” from regular correspondence. That said, the really impressive ones do look like the real deal.
   
   Tip: Legitimate companies will never ask you for account information via email.
   
   
3. Government agencies. The IRS, FBI, CIA, SSA, etc. are not going to reach out via email. And they certainly are not going to ask for personal information through it. If the government wants to reach you - expect a letter asking you to contact them, or a phone call if you’ve already reached out.
   
   Tip: You can always contact an agency using their public phone numbers to verify any communications.
   
   
4. The request is unusual. If your CEO doesn’t normally email you directly, it’s a bit odd that they’d want you to drop everything to go buy several hundred dollars worth of digital gift cards… no matter how compelling the reasoning might be.
   
   Tip: Contact someone directly if you think a phisher is sending communications on their behalf.

Can I prevent phishing?

There’s no way to prevent 100% of phishing attempts, but there are plenty of methods to mitigate them. Practice these safe habits and you’ll be just fine.

Steps For Remote Workers:

Don’t give out your email addresses

Yes, it would be wonderful to win a free trip to Saint Lucia (especially after social distancing and being in your own home for over a month). However, giving your contact information to online forms and sweepstakes always comes with a price – usually as subscriptions to marketing lists or the sale of your contact information to the highest bidder.

No, I’ll call You

When it comes to sensitive information, it’s always safest to reach out and call the person or organization you wish to speak to. Use the publicly available support lines rather than relying on the number in your voicemail. Just tell the operator that you’re returning a call.

Don’t share passwords

We know, you’re in a pinch and you don’t have an account. You need to get this task done NOW, and you could just send a Slack message to Bob and ask for his password again, right?

Don’t do it. Let your supervisor know you need to create an account, or ask someone with access to do it for you. The more access info is shared between multiple people, the more likely it is for a system to be compromised. As for Bob, supplying passwords makes him part of the problem. In the event Bob’s credentials are misused, he could be held responsible for the outcome.

Register for the “Do Not Call” list

This one will save you from marketing calls and will help prevent your phone number from showing up in public directories or marketing lists. Less spam, less phishing. We’d call that a solid win.

• Check Out the National “Do Not Call” Registry

Use Two-Factor Authentication

Two Factor Authentication (2FA) is a login style that requires both a password and verification via an additional device. The device could be a cell phone, email, mobile application, or specialized USB token keys. This is one of the most important steps you can take to securing your online accounts. As part of your quarantine spring cleaning, we recommend updating all of your accounts to enable 2FA.

• 2FA Instructions for Popular Apps and Systems

Use robust passwords and a password manager

We’re human, and we can only remember so much. When we try to create memorable passwords, we inadvertently create credentials that are easy for programs and phishers to figure out. If enough personal information is known, the phisher can reset an account simply by knowing the answers to the chosen security questions. Passwords should be unique for each account, and they shouldn’t contain any personal information. Sounds impossible right? Before you grab the little notebook in the top right drawer (Yes, Bob, we know about the password book) take a look into a password manager to keep track of it all.

Password managers allow you to save your passwords and notes into a secure repository that you can (with most providers) access from multiple devices. Most password managers will create passwords for you, and work with your browser to auto-fill most online logins. The best options will even auto-fill credentials for apps on your phone. They’re truly a game-changer in regards to online security, and well worth the effort.

• Wired’s 2020 List of Top Password Managers

Do your research

Phishing relies on deception, misinformation, and rapid response culture. Take a moment and ask yourself “Must I respond right this second?”, and instead do a little research and check against the proper protocols for the situation. If the correspondence looks official, don’t be afraid to verify it by contacting the person or agency the message claims to be from.

Phishers rely on your instinctual response to act fast and ask questions later. Don’t fall for it.

• Federal Trade Commission’s 2020 List of Phishing Scams (Updated Regularly)

What can I do if I’ve been phished?

1. Report phishing incidents, even if you haven’t fallen for them, to the FBI. The official website to do so is https://www.ic3.gov.
2. Immediately change any compromised passwords or account logins.
3. Immediately contact the service or account provider for the affected account. Explain the situation and their support will walk you through next steps to protect your information and freeze any illicit transactions.
4. Immediately notify your supervisor in the event the compromised account is work related.
5. Inform anyone you hold regular communications with if a social media or communications system has been compromised. Phishers can, and do, use accounts they take over to phish others within contact of the affected account.
6. Consider signing up for credit and identity monitoring to track any changes or misuse of your identity or financial information.

Steps for Business Owners and Management

Treat phishing and social engineering awareness as part of job training

The best way to know your staff is up to speed is to get them there yourself. With plenty of online resources available to monitor and train employees (often for free), there’s really no reason not to. Make your staff aware of the problem before they run into it.

• Recommended: KnowBe4

Avoid shared account credentials

After calling out Bob on his password sharing habits, he’s informed us that the account in question is a shared company account. Unfortunately, when companies create these shared accounts, it creates a fairly large vulnerability.

Passwords are rarely updated when staff leave employment, and the shared credentials become impossible to use for access limitations or user accountability. Additionally, each user with knowledge of the shared password creates a point of opportunity for the credentials to be compromised. Even for a small company, that’s a few hundred more “Bobs of Opportunity” for each shared account to be compromised.

Create policies and tell people about them

If phishing depends on deception, misinformation, and rushed decision making, then information and procedure are its natural predators. Create policies and procedures for how information is dealt with, stored, and secured. Then make sure everyone is aware of and follows them.

Use system-level spam filtering for email accounts

Services that pre-filter email spam before it reaches employee mailboxes can be fairly effective. You might accidentally trap an important email or two, but after tuning the filters just right, you could be looking at far less communication judgement calls being made by staff.

• Example: Mimecast

Be kind.

People aren’t always familiar with phishing and online security, and that’s especially true when it comes to working from home for the first time. Be kind and patient with your staff as they try to navigate. Creating a hostile blame culture will only serve to prevent incidents from being reported. Sorry, Bob. Coffee on me?

COVID-19 related phishing + scams

We know that the current crisis can be very overwhelming. Here’s a list of U.S.-based resources to check for current COVID-19 related scams and phishing attacks.

• IRS Tax Scams + Stimulus Relief Scams (irs.gov)
• CDC COVID19 Related Scams and Phishing Attacks (cdc.gov)
• Federal Trade Commission COVID19 Scam Protections (consumer.ftc.gov)
• Federal Communications Commission COVID19 Consumer Protection (fcc.gov)
• National Grid Utilities Scam Alert (nationalgridus.com)
• Verizon Common Scams + Fraud Information (verizon.com)
• Wired Security News Bulletin (Large Scale COVID19 Phishing Attacks) (wired.com)
• KnowBe4 Blog - Latest Phishing Threats (knowbe4.com)