What are your employees doing while working from home? Are they exposing your network and customer data to a data breach or other cyberattack? What does your now-extended business network mean for your business?
If you think your data is safe, hackers can still try to get your information through social engineering. Ninety-six percent of all targeted cyberattacks start with attempts to expose your personal information. A piece of data — name, password, email — your employees disclose can be exfiltrated, held for ransom, or pieced together into an attack on your network and devices.
Here’s a quick rundown of the major types of cyberattacks you are vulnerable to in the Age of COVID.
Your email system is the primary entry point for a cybersecurity attack. Ninety-seven percent of people cannot distinguish a real email from their bank from a sophisticated phishing email. These emails may have your bank’s or credit company’s logo and ask you to log in to your account or respond to an alert by clicking a link in the email. The typical strategy of the hacker is to create a sense of urgency that will get the user to act before thinking. When the user is one of your employees, training should be imperative.
Common subject lines for other malicious emails reference healthcare products, dating apps and invites, adult products, and stock picks. If only .001% of users clicked on links in these emails, a spammer could make over $270,000 from one email sent out to millions of users.
But mobile users open 34% of phishing emails; twelve percent of these targeted users click on the malicious link or attachment. These users are on the go but should learn to recognize spam when they see it.
The number of phishing emails that contain some form of ransomware has risen to 97.25% since 2016. (Ransomware is particularly nasty: after the victim clicks on an email link, attackers gain access to a network, encrypt the computers’ files, and demand a ransom to unlock the files. Sometimes the ransom is demanded again after being paid; other bad actors threaten to publish the files or sensitive data.)
Email Best Practices
Have your employees look for these telltale signs of phishing emails.
– Double-check for unusual sender email addresses, dates, or language problems before opening an email.
– Do not open attachments or click any links from people you don’t know.
– Do not click if “tech support” sends you an email saying you need to reset your password by “clicking here.” Even if the email uses your correct name and appears to come from someone in IT support whose name you recognize. This could be another type of phishing attack, and 95% of all attacks on enterprise networks are caused by successful spear phishing.
– Do not respond to suspicious emails.
Mobile users are not only vulnerable to email phishing. Eighty-one percent of all mobile attacks on iOS and Android devices are due to app vulnerabilities, instant messaging, and texts.
Hackers also now communicate over local networks and the Internet and do not need physical access to the device.
User beware: Eighty-nine percent of mobile vulnerabilities can only be exploited by your users downloading malicious apps. Apps that are free can work as advertised — but can also function as spyware, which sends your data to the hacker’s server. By far, the most common issue with mobile devices is insecure data storage; your users may generally keep passwords, financial information, personal data, and correspondence in an unsafe manner.
Practice: Your employees should not store their credit card, banking, or other personal information on their smartphones or tablets. If the devices are provided to your employees as “bring your own” or “choose your own” devices, knowing what is on those devices and how your users use them is critical. Misuse can damage your organization. Some apps could ask for broad permissions before use. Make sure you are OK with each of these permissions.
User beware: Cybercriminals also use texting to trick users into downloading malware, clicking on malicious links, or disclosing sensitive information.
Practice: Anything that asks for your or your employees’ personal or financial information through a text is suspect. Like emails, no matter how legitimate the text looks, financial institutes or merchants will never contact users to make important changes like updating their account or entering their account PIN or other data. “Act now” urgent requests can cause users to act rashly. Also look out for suspicious text numbers like “80000.” These types of numbers are used by scammers to hide their actual phone numbers. Create harder passwords, change default passwords, turn off/disable any unneeded features, only use legitimate applications from the GooglePlay store or Apple App Store, and update the device’s firmware and applications.
Practice: Tell tech support you will call them back or ask them to come to your desk.
User beware: “Your bank” calls you and asks you to call to speak with a representative, or you get a text message alert from the bank with a phone number to call. The recorded voice says to enter your social security number or account number to be connected with a representative.
Practice: Do not click, do not call.
User beware: A fired employee may have sabotaged or created a vulnerability in a shared app to become active after a set time.
Practice: Contact security and your supervisor about any unusual behaviors.
User beware: At Starbucks, a malicious user can intercept your browsing or communications. You may even see a network named “Starbucks Pro” or some such harmless name. That user may “record” your transactions (like a bank login) and use your session later to access your accounts.
Practice: Do not connect. If you’re doing bank or other sensitive work, switch to mobile data and turn off your device’s wifi.
User beware: Outside your house, a malicious user is driving by scanning your home office network for openings. Alternatively, outside your house, a malicious user may have also told the world about your wireless network with chalk marks on your sidewalk.
Practice: Make sure your home router is set up with WPA2 AES security and strong passphrase and change your default admin password. Disabling the SSID Broadcast (hiding the name of your network) is helpful but not considered a strong measure by itself.
User beware: As you are walking in a parking lot or even outside your house, you find an old-looking USB flash drive on the sidewalk.
Practice: Do not plug that in.
User beware: Your phone is getting unwanted messages popping up, or you may get your data stolen through Bluetooth.
Practice: Disable Bluetooth when not in use.
User beware: Someone may have plugged a USB hardware device (dongle) into your USB port without your knowledge. The “keylogger” records all your key strikes.
Practice: Occasionally check your physical computer ports at work or home.
User beware: At work, your colleague has set up his own wifi router without your knowing, a “rogue access point.” Perhaps he just wants to have his own network (against company policy) but could be doing something malicious.
Practice: Do not connect. Alert management.
Also, beware of:
Tailgating: Walking into work, another person rushes up behind you and asks that you hold the door open for them (maybe they “lost their badge”).
Shoulder Surfing: At work or a public place, someone is peering over your shoulder to get your data.
Someone bumps you from behind: They’ve just clicked their phone to yours, accessing it using NFC, the protocol for some short-range electronic transactions.
Skimming: A waiter swipes your card in a device, a “skimmer,” and records your card for later use.
Dumpster Diving: Some men are jumping into the company dumpster and pulling out old desktop calendars, sticky notes, company procedural manuals, and handbooks.
Trespassing: Two men are walking confidently through the corporate building and walk into the CFO’s office when he is out of town. When asked, they say they are with building services or IT. They dump the office trash into a receptacle they are carrying, or they make a call to IT from the office to ask for help logging in. They act like they belong but are targeting an important person at the company.
Phone tactics for dropping your guard: Making you laugh, having a sensible reason for the action, portraying confidence, maybe even displaying anger, and asking to speak to your supervisor (though they never call back), but then evading or diverting if asked specific questions.
In addition to the aforementioned measures, comprehensive antivirus and malware detection services will get you cyber-ready. Happy computing!
Tech Kahunas is a San Diego Managed IT Services provider that provides IT support and services like 24/7 monitoring, data backup and restore, and malware protection.