The pandemonium of the pandemic: How working from home has changed the cybersecurity formula

2020 was a year like no other. The first true global pandemic in our modern age rocked the world, throwing our way of living and doing business into turmoil. Organizations were forced to adapt in a remarkably short time, as were their employees. One day, we were commuting to work as usual, then almost overnight, we were told we could not come to the office. We were told we could not go out to eat, we were even told we could not get toilet paper.

As difficult as it was to cope with the initial shock, the persistence has been another matter entirely. With the continued economic struggles, political turmoil and a general sense of uncertainty, this has been a truly challenging time for people both professionally and personally.

And this, is fertile ground for scammers.

You see, scams get their power from emotions and deception, and are nothing new. As a matter of fact, although the term ‘scam’ is fairly new to the world, likely originating as recently as 1963, the concept is much older. I am talking about the concept of the ‘con’. A ‘con’ has been described as, “Confidence with a sense of assurance based on insufficient grounds" and dates back to the late 1500’s. I speculate that the practice of wanting something that someone else has, and tricking them in to giving it up, probably goes back to the time of cave paintings, or even earlier.

The basic recipe for a scam or con is almost always the same. The scammer gets the victim to trust them, then used that trust to convince them to do something that is not in their best interest. This action has historically been related to losing money or property, but in modern times has expanded to include information or access to something as well.

Over the years, scammers have fine-tuned their craft, and these scams have even made the move from the traditional route to the digital world without missing a beat. For example, the universally recognized ‘Nigeran Prince Scam’ started off using traditional mail services to spread. Even before that, was the Spanish Prisoner scam, likely a predecessor to the Nigerian one. The move to digital distribution through email not only eliminated the unpleasant task of licking and affixing stamps to paper envelopes, but also significantly reduced the cost of staging the attacks. In my recent checks on the dark web, the cost to send 50,000 phishing emails through a criminal service was $65.00. The cost of the stamps alone to send letters to 50,000 people, would be $27,500.00. It is no wonder why email phishing is so popular.

Through the years, these scammers have figured out what emotional hooks work best and know how to counter almost any pushback or suspicious questions. They use psychological tricks to ensure the target is kept in a state of high emotions. Whether the emotion is fear, outrage, anger, helpfulness or any other array of emotions, the result is the same. It causes people to make poor decisions.

Think of a time when you felt a significant amount of anxiety or fear. Now consider how comfortable you would be making important decisions in this state, especially ones involving complex calculations or critical thinking. Typically, when in a state of high emotions, our ability to concentrate is greatly diminished and our decisions are error prone. This is the mental state where scammers want their targets. If you have ever fallen for a scam, when you look back on the chain of events, it is often very clear where you missed seemingly obvious signs of the deception. This is typical with hindsight and with the removal of the emotional factor clouding our judgement.

Now, let’s consider how the pandemic has impacted the world of cybercrime. In the beginning, the move to work from home was swift, with organizations being closed and the workforce being sent home to work with little or no warning. People began stockpiling items and even staples such as toilet paper became a scarce commodity. As schools closed, the students were forced to start doing classes online, something a lot of families were not prepared for. Many found themselves in financial difficulties. For those still working, with daycares closing, childcare became an issue, and many people did not have laptops or computers set up at home to support these changes. Even webcams became nearly impossible to get unless you were willing to pay the scalpers’ prices.

This kind of stress is a gold mine for scammers.

knowbe4

Figure 1 New COVID-19 Phishing Templates by Week

In the weeks following the shutdowns related to COVID-19, the cybercriminals did not rest. Instead, they focused on creating new attacks. Figure 1 shows the staggering increase in new COVID-19-related phishing templates in the weeks following the shutdown.

Phishing emails varied in their messages, themes and goals, however, almost all focused on the uncertainty of the new pandemic. They included emails purporting to be from the government or global organizations such as the World Health Organization (WHO), offering newly updated guidance, but instead leading to malware infected documents or fake portals requiring sensitive information to ‘confirm’ the victim’s identity. Others used the scarce information about the stimulus packages to target banking information or sensitive personal information, such as social security numbers, by sending victims to fake websites claiming to be a portal to confirm information for the upcoming payments. Even others used fake mobile apps claiming to be government-made, COVID-19 contract tracing applications to spread ransomware. Obviously, there were plenty of ways to use this time of uncertainty against the victims.

Besides phishing, scams ran rampant. With individuals and organizations of all sizes struggling to get personal protection equipment (PPE) and staples such as hand sanitizer and bleach, the field was ripe for the picking. Because the normal supply chain was stretched to the breaking point, people and organizations were forced to look to new vendors for relief. As a consequence, a number of organizations were suckered out of money by scammers selling them PPE they did not have. These organizations included hospitals and research facilities as well as traditional businesses and even individuals.

As time passed, the supply issues have eased up on PPE and associated supplies, however, some still remain difficult to find. As we pass the one-year mark of the pandemic shutdowns, we still face some significant challenges ahead. The price of oil and gas are on the rise, plastics are becoming more expensive, steel and other metals are rapidly increasing in price and imports and exports are stuck at the docks waiting to be loaded or unloaded. A shortage of microchips is even impacting new car manufacturing.

As we continue to deal with this pandemic, we must also work to help people recognize these scams better. Whether the goal is theft of data, identities or money, the impact is significant at the organizational or personal level. Educating people on these dangers as well as the methods to spot the scams and protect themselves has never been more critical than it is now.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.