COVID-19 Increases the Risk of Phishing Attacks

By Ilona Davis March 24, 2020

With this pandemic came an extremely fast and large wave of employers asking their employees to work remotely.

Aside from the immediate need for employers to ensure their people can be set up appropriately to work from alternate locations like home, there is another critical point of attention that is worth emphasizing: the potential for an uptick in phishing attacks.

With the number of companies now performing day-to-day business processes and controls remotely, phishing attacks and the consequences should be highlighted and revisited.

Phishing is a type of social engineering attack often used to steal end-user data, login credentials, personal information or financial information. These attacks can come in the form of emails or messaging that look like they are coming from a viable source, sometimes even someone you work with every day, asking you to click on a link that is in fact malicious. These links can lead to the installation of malware on your computer and entire network, freezing the system as part of a ransomware attack, or revealing sensitive information. Another form of a phishing attack can come in the form of a fund transfer request or purchase request from what appears to be an officer or manager within your company. Yet, the recipient on the other end is in fact a malevolent entity.

When we work with our colleagues or management in an office day-to-day, it can be easier to spot a phishing attack, particularly if a fund transfer or purchase is being requested via email. However, most requests these days will in fact come in the form of an email, leaving our employees that much more vulnerable to these attacks.

Phishing attacks can have devastating results including severe financial loss, declining market share, and reputational risk that may be hard to ever recover from. At the very least, your attention to remediation will take time and resources that are hard to come by these days, especially in the current climate.

Now that we have scared you and have your attention, let’s talk about some preventative measures and steps you can take:

1. Educate your employees and conduct training sessions with mock phishing scenarios. Even if you have done this in the past, place emphasis on training in this present remote environment.
2. Revisit the critical controls that may have been set up to mitigate risk within an office environment and determine if this control structure is appropriate and effective, given that many are working remotely. You may need to implement controls that you perhaps never had, now that you are in a remote working environment.
3. Place emphasis on reviewing your security policy with a focus on remote workers.
4. Keep all systems current with the latest security patches and updates.
5. Deploy a web filter to block malicious websites.
6. Deploy a SPAM filter that detects viruses, blank senders, etc.
7. Encrypt ALL sensitive company information that is being shared by your employee base.

Given the abrupt need to have so many employees working remotely and the uncertainty as to how long this will need to be the new normal, companies should be thinking about defenses against phishing attacks with a focus on end-user training. Ultimately, it is one of the biggest defenses we have.

Contact Ilona Davis at 800.244.7444 in the BTA practice to learn more about how we can help you with your preventative measures and implementing proper controls.