In accordance with the CDC’s guidance on social distancing, more and more companies are increasing the number of employees working from home. As the number of employees working from home increases, so do the related cyber risks. Sophisticated hackers have developed a game plan for exploiting weaknesses unique to the remote workforce employment model. Organizations must be vigilant in preventing hackers from infiltrating corporate systems or preying upon an unsuspected remote worker.
Some of the techniques that scammers employ in the face of this pandemic are convincing:
- COVID-19 timelines and outbreak-in-motion maps.
- Emails from the organization’s IT department with subject lines such as “COVID-19 Alert” and “ALL STAFF CORONAVIRUS AWARENESS.” The emails describe a seminar at which the company will discuss what it's doing in response to COVID-19, which includes a link to register for the seminar.
- Phishing emails impersonating the World Health Organization that prompt the recipient to download malicious software.
- The sale of fraudulent COVID-19-related 'miracle' health products.
- Fake charities claiming to be a government program raising funds for the development of a vaccine.
- Scam websites claiming to be selling face masks.
- Emails claiming to be from vendors about COVID-19 tools and strategies that include links to PDFs and Word documents and invite the recipient to click and open the attachment.
- Text messages closely resembling the employer's phone number, indicating the recipient needs to "click here" to find out about modified firm operations.
These seemingly harmless and legitimate looking emails, texts, and attachments are Trojan horses for malware replete with remote access tools ("RAT"), keystroke logging malware, desktop image capturing malware, and ransomware. Hackers are looking to potentially gain control of an employee’s remote access into the firm, or encrypt computers and any other company systems within the malware’s reach.
Following are 10 tips that will help employees protect themselves and the company with whom they work:
- Always think before you click.
- Never click on an email or text message from anyone you don't know.
- If you receive an attachment in an email or text message you were not expecting—even if it's from someone you know—call the person at a known telephone number (not the number listed in the message) to confirm the message is legitimate.
- If you click on something you should have avoided and a box opens that asks you for your password, to supply some information, or click on a link to enable a later version of software: stop, close out, and immediately call your IT department to have a scan run on your device(s).
- Remember the ongoing risk of public Wi-Fi. If you can connect to Wi-Fi without a password, then the network is insecure. Do not use an insecure Wi-Fi to connect to your work server, do any personal banking, or send any type of confidential or personal information.
- Avoid working in public spaces where third parties can view screens or printed documents.
- If ads for hand sanitizer and toilet paper appear too good to be true....they are.
- Follow corporate protocol on frequently changing passwords, utilization of dual authentication, and powering down your hardware when not in use.
- Never provide personal or sensitive company information in response to even an authentic/official looking e-mail without first contacting your IT department.
- If you receive an e-mail that appears to be from a colleague that requests you open a document that is not familiar to you or that you were not expecting, do not open the document (or follow the link) until you have contacted your IT department.
As more and more employees are working in a home-based model for the first time, there are countless new challenges associated with the new venue and new technology. As such, it is even more important during these dynamic times that employees maintain their focus on the security of their devices and the company’s systems.