Rough waters ahead: A phisherman’s tale

A third wave – feels more like a third tsunami. Many haven’t returned to the office; some may end up back in work-from-home scenarios. While workers may feel safe at home, false senses of complacency can easily mask very real cyber threats. Cybercriminals don’t pause for pandemics. With the increase in remote work, an explosion in cybercriminal activity, like phishing, has followed. Not only is phishing still prevalent, but it’s rising much like that third wave.

Seven thousand office workers in the United States, United Kingdom, Australia/New Zealand, Germany, France, Italy, and Japan were surveyed on their understanding of phishing, email, and click habits. Respondents were asked how their online lives have changed since the beginning of the COVID-19 pandemic. From there, the COVID-19 Clicks – How Phishing Capitalized on a Global Pandemic report was created, shining a timely light on perceived knowledge of phishing attacks, what makes people click on a potentially malicious link, and overall cybersecurity and cyber resilience habits.

BY THE NUMBERS:

1 in 5 workers have received a phishing email related to COVID-19
3 in 10 workers worldwide are certain they’ve clicked a phishing link in the past year. In the US, it’s 1 in 3 workers
8 in 10 workers say they take steps to determine if an email message could be malicious
But less than 3 out of 5 workers worldwide think they know enough to keep themselves and their data safe from cyber attacks

Dr. Prashanth Rajivan, assistant professor at the University of Washington, offered his perspective on how the COVID-19 pandemic and general increase in working from home could affect individuals’ and businesses’ cybersecurity status. “Like with distracted driving, working while doing other household chores or even watching TV seems easy enough when doing mundane tasks, such as email processing,” says Rajivan. He notes this type of distraction can make people vulnerable and even less likely to notice or weigh the potential phishing message’s risks properly.

In many cases, working in home environments can potentially blur the boundaries between work life and home life. Not only are there issues of stress and mental health, but performing work tasks on improperly secured personal devices, or performing personal tasks on a work device, can present security risks for individuals and businesses alike. Three out of four people (76%) worldwide admit they use personal devices for work tasks, use work devices for personal tasks, or both, underscoring the boundary concerns mentioned previously.

Cybercrime is a crime of opportunity - which is currently abundant because of the constant connectivity work-from-home environments create. COVID-19 themed phishing lures have surged this year with some even claiming to know location of infected individuals in your city. These cybercriminals target the victims’ sense of vulnerability during a pandemic so businesses and consumers alike must prioritize cyber resilience. It is everyone’s responsibility to protect their data as they would their health.

The full report suggests companies and consumers are both falsely confident when it comes to cybersecurity. Breaking down the numbers, 95 percent of respondents worldwide recognize phishing remains a problem for businesses and households alike. More than three-quarters admitted they had opened emails from unknown senders, with over half (59 percent) blaming it on the fact that phishing emails look more realistic than ever before.

Dr. Rajivan stresses it’s critical to use what he calls a “healthy dose of suspicion” while processing emails. He explains, “Humans, by nature, have a propensity towards truth. We generally assume the communications we receive from other people are honest. By developing a healthy dose of suspicion with regard to emails, it’ll help us be more alert, and actually put our phishing knowledge into practice.”

Steps to take to strengthen work-from-home cybersecurity

Keep it separate. With so many employees working outside of traditional office settings, it can be difficult to enforce work-life boundaries. But by ensuring workers have clear distinctions between work and personal time, devices, and obligations, businesses can reduce the amount of uncertainty that can ultimately lead to phishing related breaches.
Know your specific risk factors. Every business has different risk factors. If in-house resources or expertise to conduct a risk audit are limited, explore security auditing services, or consult a managed service provider (MSP).
Over-prepare. Once a business has assessed the risks, a data breach response plan can be created that includes recovery strategies, security experts to contact, and communications plans to notify customers, staff, and the public in case of a breach, attack, etc..

“If we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize how work and personal life intertwine,” says Dr. Rajivan, Ph.D. The report distilled from worker responses that in order to properly prevent phishing, they feel their employers need to invest more heavily in training and education, in addition to vital cybersecurity tools.

The survey also showed most people are now either taking the same or more precautions to keep themselves safe online. For instance, an average of 1 in 4 people are updating their computer operating systems and software more often than they did when they did before COVID-19. While these actions exemplify steps in the right direction, there is still significant opportunity to increase these numbers and strengthen overall cyber resilience. For example, an average of 1 in 5 workers reported plans to increase investment in cybersecurity programs and tools for their individual and families’ devices.

The bottom line: knowledge and understanding are key for strong cyber resilience. Experts like Dr. Rajivan agree businesses and employees must adopt a “healthy dose of suspicion” along with appropriate training to successfully avoid falling victim to phishing scams. So, while work-from-home policies keep workers safe from COVID-19, consider investments in cybersecurity training and cyber resilient tools to ensure your company doesn’t get stuck with a virus (or worse) of a different kind.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Employees don’t feel prepared to navigate an increasingly dangerous world, and they expect their employers to not only care about their personal safety, but to actively keep them safe.