With thousands upon thousands of workers now learning to navigate a work-at-home setup, remote work software like Skype, Slack, Zoom, and WebEx have become gateways into users’ computers for phishing attacks. The longer the COVID-19 quarantines and company closures continue, the more employees will be working remotely. Lack of supervision and training in security could be making your employees and your company vulnerable up to phishing scams like the example below.
An Example of a Skype Phishing Attack
Employees have now become remote employees and are having to attend meetings and communicate with each other from home. This means using tools like Skype to video conference and share files and screens. Skype, in particular, has been being heavily targeted by hackers taking advantage of the COVID-19 pandemic. The sophisticated phishing attacks, designed to compromise Skype passwords, are even getting past Proofpoint and Microsoft 365 EOP protected environments to the users’ email inboxes. Here’s just one way in which Skype and other online collaboration and communication tools are being targeted by hackers.
A familiar-looking email arrives
The phishing attempt begins when an employee or remote worker receives an email from a seemingly known and trusted source. The sender is a Skype phone number, and the email address appears to be a legitimate account, usually belonging to a trusted friend or colleague. The receiver has no reason to suspect that this was a previously hacked account being used by a scammer or malicious cyber actor.
A “review” is requested
The phishing email generally tells your employee that they have pending notifications on Skype – or other collaboration tools -- that they should review and includes a “REVIEW” button with instructions to click through to review the new messages. The idea is that your employee will think they have essential work-related messages, and they will willingly click the review button.
The webpage is spoofed
The link redirects your employee to an authentic-looking Skype login page. The page often tells your employees that they have been logged out for security reasons and should log in to their Skype account. The webpage is hosted on a domain with security protocols activated (the URL begins with “https”). The URL also has the word “skype” in it, and the Skype logo is present on the page. This leads your employee to think they are on a “safe” site.
The password is captured
When the login box pops up, your employee’s email address is already filled in, prompting them to enter their password. The account is now compromised and can be used as a ‘sender email’ to trick more employees in your organization. Eventually, the hackers may gain access to someone in HR, or with access to internal documents or financial information.
COVID-19 Phishing Attacks Will Only Get Worse
It doesn’t matter how much security you have in your systems or on your employees’ devices: the main point of failure when it comes to cybersecurity is always user related. Habit and familiarity lull your distracted employee into a false sense of security. When they are rushed or stressed, they are more likely to miss warning signs of a security risk.
The COVID-19 pandemic is creating the perfect global environment for phishing lures as workers are in an unfamiliar work environment, trying to stay abreast of their work duties while juggling financial concerns, spouses, children, and more.
The example above is just one type of phishing scam. Hackers are masquerading as government officials, World Health Organization (WHO), and more. Emails purporting to be from the World Health Organization (WHO) are circulating to lists of emails belonging to company executives across the English-speaking world. These emails offer a free ebook about COVID protection measures, attached to the email as a ZIP file.
Once opened, the malicious link file can compromise the computer of the person who opened it, or links in the documents the file contains can route users to a phishing website designed to obtain confidential information on the guise of offering help. Unfortunately, by the time the user realizes what has happened, they have often forwarded the email to multiple people within their own company.
Likewise, it’s the perfect time for phishing scams that center around financial aid. With multiple federal and state programs providing disaster loans, emails purporting to be from financial or government institutions should be carefully scrutinized. Sole proprietors and small business owners are being specifically targeted.
Everyone is vulnerable
Educating your employees and refreshing their knowledge about cybersecurity risks is the best way to help protect them and your company from hackers. You’ll need to start at the top of your command chain and work down.
Start with a quick briefing on the red flags of phishing scams and follow this up with frequent reminders to think twice before opening links in emails or divulging company information can help you prevent employees from having their accounts compromised. Share with examples like the ones listed above with your employees, so they are always aware of the various tricks employed by hackers and are on the lookout for anything out of the ordinary.
Warning Signs of Phishing Scams
Here are common warning signs that a phishing scam is in play:
- The email comes from a fake sender address
- Confidential data is requested or demanded
- An urgent need for action is emphasized
- A link to a website is included with a request to click on it
- There are misspellings or oddly formal language used in the email subject or body
The following precautionary measures can be made part of your company handbook:
- Don’t click on links in suspicious emails. Do try to reach a website by typing in the homepage of the organization instead.
- Don’t provide any confidential data in response to an email. Do contact the organization mentioned by phone if you think it is a legitimate request.
- Don’t disclose personal information (passwords, credit card numbers, transactional data) via email. Do follow up directly with the organization by phone and ask for a safe information transfer method.
- Don’t download anything from an email unless it is safe. Do visit an organization’s webpage directly and download it from there if necessary.
- Don’t continue any conversation via phone, chat, text, or email if you are being pressured for company data. Do refer the conversation to your supervisor.
Preventing COVID-19 Phishing Scams Aimed at Remote Working Employees
You can also help protect employees by giving them tools to protect themselves:
Virtual Private Networks
VPNs help protect important and sensitive data by encrypting it when it is being sent across a public Internet signal to and from your office network. This can be invaluable if your employees are using home or public Wi-Fi connections that need remote access. Using a corporate VPN keeps all communications within your secure network.
Business Continuity Disaster Recovery Plan
A BCDR plan can keep your company from losing important data if a remote employee is phished, and your company is hacked by cybercriminals. Make certain your data is backed up as often as possible and train all executives on what steps to take if a network breach occurs.
Secure file-sharing is a must to help ensure your business can continue to operate seamlessly while employees are remote, but to protect sensitive data. Look for options that allow your employees to easily view and share files, but remember that these platforms may also be the subject of phishing scams and remind employees to be wary of emails that might seemingly come from these platforms.
Require passwords to be changed anytime there is a hint of a phishing attempt or threat. Encourage employees to use strong passphrases and two-step or multi-factor authentication on all of their devices. Passwords should be guarded fiercely and never shared. Whether your employees return to work in the office or remote work becomes the new normal, these tips can help prevent phishing scams and protect your company and your remote workforce.