Should you phish-test your remote workforce?
Introduction: New wave of phishing
When the novel coronavirus pandemic began, it caused more than a medical emergency and lockdowns. Like many events before, it also caused an increase in phishing. Attacks have been aimed at VPNs and remote workers to take advantage of weaker security in such a new situation for many employees and employers.
“Chinese, Russian, and North Korean cyber-espionage groups have all adopted pandemic-themed lures for phishing attacks and targeted efforts,” writes Dark Reading.
“The biggest change is not the type of attacks but the situation where you have the majority of the workforce working from home,” adds Etay Maor, chief security officer for IntSights. “Workers are making some basic security hygiene mistakes, and the threat actors have been made aware of this — these issues are constantly being discussed, and the criminals are very agile to adapting to new situations.”
In fact, a survey conducted by CNBC on senior technology executives found that over one-third of them reported a growth in malicious attempts, as the majority of their employees started working from home. In a matter of days, there had been an increase in phishing campaigns “to target people and steal personal information from them by posing as trustworthy figures.”
Coronavirus-themed phishing is targeting remote workers
Phishing related to the subject COVID-19 will continue to be a problem over the coming weeks and months. A joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) warns against APT groups using COVID-themed phishing messages with new and evolving baits. “Malware distribution, using coronavirus- or COVID-19- themed lures; registration of new domain names containing wording related to coronavirus or COVID-19; and attacks against newly—and often rapidly—deployed remote access and teleworking infrastructure.”
These findings are also confirmed by Fleming Shi, the Chief Technology Officer at Barracuda Sentinel. They have released figures collected between March 1 and March 23, when “Barracuda Sentinel has detected 467,825 spear-phishing email attacks, and 9,116 of those detections were related to COVID-19, representing about 2 percent of attacks. In comparison, a total of 1,188 coronavirus-related spear-phishing attacks were detected in February, and just 137 were detected in January.”
Everyone is susceptible to phishing. This social engineering technique takes a variety of forms to target internet users and collect valuable info. The selection of targets also varies greatly, with victims ranging from higher officials and executives to individuals in any department, especially those with access to money and sensitive data.
Phishers have proved able to reach many employees in a business, regardless of their whereabouts. Phishing has become even a bigger threat lately to those who work from home as people adjust to a new reality and are re-learning how to keep in contact with management and co-workers. These employees, even those with hours of cybersecurity training under their belt, often feel safer or more at ease within the perimeter of their home office.
There are also a number of other factors to consider. Sometimes it is the change in technology used, from the office workstation to a home mobile device; or maybe it is the different protection afforded by software on a home computer with the ability to access different sites and resources that are normally blocked by protection systems at work; sometimes it is simply that mix of personal and business activity that is created in a home office that brings the worker to let their guard down.
How is it possible to minimize risks?
The importance of a phish test
When it comes to phishing, the most effective way to defuse the threat is arming the workforce with as much knowledge as possible, so that they can recognize and avoid it. Lack of security awareness training makes employees the most susceptible targets as phishing attempts easily slip through software and hardware defenses.
A remote workforce, especially, whose devices might even have fewer security features than the company’s system, need to have a thorough understanding of combating phishing, malware and hackers.
What’s a good defense strategy for an organization? Phishing simulations have been found to be most effective in generating awareness and providing training for staff to recognize and avoid becoming a victim of such scams. Such continuous, hands-on employee education can be engaging, more effective than any theoretical approach and give measurable feedback to the company that can see which attacks remote workers are most susceptible to.
Should companies phish-test their remote workers, then? Phish tests can give hands-on experience to staff in dealing with this type of threat before they are actually faced with a real attack. They can be used as a drill after warning employees, but can also be deployed after sessions of security awareness training to test understanding of concepts and verify any weaknesses and knowledge gaps. In addition, phish tests can help expose workers to the newest mode of attacks before awareness training is updated to reflect them.
There are, of course, drawbacks to this strategy. A high rate of successful tests could give an employer a false sense of security. Training and tests should be continuous, as repetition helps users remain vigilant and up-to-date in schemes that change over time. Too many successful tests can also give a sense of safety to users who risk becoming overconfident and complacent.
It is also very important that the results of each test are well analyzed and training follows to correct any issues before a real attacker strikes. If companies are not ready to do that, the phish test’s efficacy is reduced to a mere tick on a checklist of things that must be done.
Phishing attacks will continue to increase and exploit opportunities like that given by the COVID-19 outbreak. Exploiting new or emotional situations in fact makes it easy for malicious hackers to catch internet users off-guard.
New remote workers who were just forced into that arrangement by external factors, or employees of a company going through a major reorganization, a merger or any other significant change are perfect targets. Increasing the awareness training and augmenting it with hands-on sessions and practical tests are now more and more important to help a workforce master the detection and defense against these threats. This is especially true for remote workers who, working away from the company premises, might be less protected by technical countermeasures and have a false sense of security within their home office.
As Lise Lapointe, CEO of Terranova Security, put it: “Train, phish, evaluate, and repeat. Reinforcement makes the message stick.”
- Infosec — Infosec IQ, Infosec Skills and Infosec Flex, Cybersecurity Excellence Awards
- Threat Spotlight: Coronavirus-Related Phishing, Barracuda
- How to Avoid Phishing in an Always Expanding Sea, Future of Business and Tech
- Coronavirus Fears Lead to New Wave of Phishing, Malware, BankInfoSecurity
- Cybercriminals are exploiting fears of the pandemic to steal personal information, CNBC
- Phishing scams, spam spike as hackers use coronavirus to prey on remote workers, stressed IT systems, CNBC
- Alert (AA20-099A) COVID-19 Exploited by Malicious Cyber Actors), US-CERT (NCAS)
- Coronavirus and home working: Cyber criminals shift focus to target remote workers, ZDNet
- After Adopting COVID-19 Lures, Sophisticated Groups Target Remote Workers, Dark Reading
- COVID-19 Threats Against Mobile Remote Workers: What Enterprises Need to Know, Zimperium