Top Ways to Guard Against Work-from-Home Phishing Threats

Written by

By now we’re all familiar with what “social distancing” means as it relates to stopping or slowing down the spread of the coronavirus. Following what have rapidly become “best practices” – along with government the mandates – many companies are practicing social distancing by encouraging or requiring employees to work from home.

While that’s a sensible approach on many levels, it does present potential cybersecurity problems, as workers move from trusted and secured office networks to remote locations, taking advantage of at-home internet connectivity and power sources, but often falling short when it comes to security coverage. It’s a move that extends corporate networks in ways that make them more difficult to secure, providing cyber criminals with an almost irresistible opportunity to take advantage of the situation. 

In fact, the National Cyber Security Centre (NCSC) has issued a warning that criminals are looking to exploit the spread of coronavirus to conduct cyber attacks and hacking campaigns. NCSC experts have seen multiple scams and cyber threats that look to take advantage of COVID-19 for their own malicious ends.

Cyber-criminals are already using "Coronavirus" and “COVID-19” as subject lines for phishing scams, hoping to fool unsuspecting workers into clicking on a link or opening an attachment that results in the installation of malware or unwittingly handing over usernames and passwords. 

With that in mind, here are six best practices that can help raise awareness of potential phishing techniques and other scams, and help keep your systems and data safe while you and your employees work from home:

  1. Be suspicious of any emails referencing the coronavirus, even if they appear to come from a trusted source (e.g., friends, HR, government agencies), since these could be phishing emails. Phishing scams try to create an impression of urgency in order to scare you into clicking on links or opening attachments.
  2. Think twice before clicking on links that appear in random or unexpected emails and instant messages. Although a phishing email may appear to be from a legitimate company, clicking on an embedded link could take you to a website that looks exactly like the real website – but is actually a fake. To be safe, hover over links before clicking on them and read the actual URLs they point to, making sure they’re taking you to the sender’s actual site or to another trust site. If you don’t recognize the URL – or if it’s filled with words that don’t make sense to you, don’t follow the link. 
  3. Beware of emails that don’t contain your name – especially if they’re asking you for information. Phishing emails often start with “Dear Customer,” which should be your first clue that something’s not right. When in doubt, go to your browser and type in what you know to be the company’s URL yourself, bypassing any potentially dangerous links.
  4. Be especially wary of emails asking you to check or renew passwords and login credentials.
  5. Stay on the lookout for unusual requests. If someone – especially someone you know – is suddenly asking you to send a wire transfer, for example, there’s a good chance it’s a scam. The same goes for emails that seem out of character or come from executives or other people within a company with whom you’ve never had any contact. Instead, make a phone call to your trusted contact and verify whether the email is legitimate.
  6. Distribute a list of IT contacts that all your employees know (along with their work hours) who may be called in the event of an IT emergency. It’s always better to find out about a possible breach when it happens, not the next morning.

At a time when we all have so much on our minds, following these recommendations can help keep you and your company’s data safe from cyber-attacks as you keep yourself and your loved ones safe while working outside of the office. At a time of great distraction like this, individuals are more likely to slip up and be a victim of phishing.

What’s hot on Infosecurity Magazine?