Social engineering is a term that refers to efforts by hackers and cybercriminals to use people — rather than technology — to gain access to sensitive systems and information. It’s a problem that information security experts have been wrestling with for years and one that, in the midst of COVID-19, has become both more prevalent and more challenging.

Lonely workers more likely to click

According to Stanford economist Nicholas Bloom, “42 percent of the U.S. labor force [is] now working from home full-time.” In fact, he says: “Almost twice as many employees are working from home as at work.”

They’re isolated. They’re anxious. They’re restless.

According to an article in Harvard Business Review: “Since the outbreak of the pandemic, 75% of people say they feel more socially isolated, 67% of people report higher stress, 57% are feeling greater anxiety, and 53% say they feel more emotionally exhausted.” The data is based on a global study of more than 3700 employees in 10 industries conducted in March and April 2020. It’s important to note that it is now over seven months since these findings were published. Imagine how this same isolation, anxiety, and emotional exhaustion has been compounded by each passing week.

While working at home, employees are even more likely than when in the workplace to spend time during the day focused on non-work activities, like surfing the web or surfing social media channels.

Enter the social engineers

Social engineering has been defined in TechRepublic, as: “Any act that influences a person to take an action that may or may not be in their best interest.” Here are a few common examples:

• Phishing—attempts to get people to “click on a link, download a file, or respond with personal details.”
• Vishing, or phone spoofing—calls made to people designed to get them to share personal information or reset a password.
• Baiting people to get them to take an action like plugging in a found USB stick that contains malware.
• SMS spoofing—getting people to call a number that is designed to steal their personal data.

In the environment we’re in right now dealing with Covid, people are even more susceptible to these types of attacks and general social engineering campaigns than ever before.

What workers need to be wary of

Phishing campaigns have gone up exponentially since the beginning of the pandemic and will continue as the virus rages on. Even once the virus has subsided, phishing campaigns will not. When they’re not focused on spreading compelling, and often inaccurate information about COVID, there are plenty of other issues to exploit — social issues, economic issues, political issues, etc.

“Active measures” – a phrased derived from Russian propaganda and disinformation practices– indicates that the bad players are actively using PR tools in a distorted and fake manner – leveraging everything in order to take advantage of circumstances, bring deception, and ultimately divide people.

People are always, ultimately, behind these attacks, but not always personally spreading them. There are hundreds of thousands of fake accounts that are disseminating news and false content; social networking platforms like LinkedIn, Twitter, Facebook, Instagram, and others are riddled with them. These accounts may look real but, in fact, are completely made up. Disinformation artists and security researchers refer to these as “sockpuppet” accounts — entirely fake accounts set up under the pretext of a real person or company. And the problem gets more complex because many of these accounts are bots, allowing attacks to be launched and to propagate at the speed of code.

These days seeing is not always believing

Everything you see, you have to be skeptical of these days, it seems.

Social media platforms are widely used for the purposeful spread of false content. How do government states use social media to spread disinformation? In a variety of ways, according to The Global Disinformation Order 2019 Global Inventory of Organised Social Media Manipulation:

• 87% of countries use human accounts
• 80% use bot accounts
• 75% use disinformation and media manipulation to mislead users

Suffice it to say that these are organized campaigns purposefully designed to mislead and misinform.

The dangers of data breaches

Of course, disinformation is not the only risk that employees working from offsite locations pose for organizations. They are also at heightened risk for potential data breaches that can put an organization’s information at risk. In fact, 95% of successful data breaches start with a spear phishing attack — an email or electronic scam designed to steal data or install malware on targeted computers.

The crafting behind these campaigns is designed to draw attention — and clicks (often referred to as clickbait). When people click they often introduce malware that can destroy, lock-up or steal information.

The Defense: Education

Given these enhanced risks and the tendency for offsite employees to potentially be engaging more with online information of questionable veracity, it’s important to educate and inform them regularly of the risks. It’s equally important to help employees feel empowered, capable of detecting phishing and disinformation campaigns, and able to take the necessary precautions to protect themselves and your organization from data breaches and the spread of misinformation.

Education is an extremely effective way to get people’s awareness and understanding to a level where they recognize that what they see in their inbox, or on social media, increasingly represents someone — or something — with an agenda.  

Education and preparation are the only defense.