I know most are incensed that there are people who prey on those who are down, literally losing businesses, losing jobs, losing homes, and worst of all battling illness. Super crappy people…who are attempting, and in many cases, succeeding in profiting off the COVID-19 crisis.
As so many organizations shift to a remote workforce, we must collectively stay vigilant of cyber attacks and keep up with cyber security to protect ourselves and our businesses.
It’s true we are seeking information, updates, reports, expertise, and reassurance. However, with that comes the influx of material from numerous sources, some of which will be valid, some erroneous, and some downright criminal. Perhaps it’s also true that during this mass information gathering we’ve forgotten to do our due diligence. The emotional side is telling us that people are generally good and that ‘we’re all in this together’. The sinister act of profiteering off education sites, banks, and even the World Health Organization would just be unimaginable. Sadly, we still need to keep our guard up. So, let’s remember back to before COVID-19 and the mass relocation to remote working, to implement the cyber security measures we typically practice and need to reinforce.
Remote workers beware
The cyber security firm AppRiver found cybercriminals targeting at-home employees with messages that notify workers of a positive COVID-19 test within their organization. The messages contain malicious attachments disguised as practices that the company is undertaking that recipients are asked to open, read, and reply to. The attachments contain malware.
Cautions also come from emails claiming they are your employer’s IT Helpdesk. The email states that IT personnel are working on creating a staff portal for the purpose of helping employees keep track of work and stay informed while working remote, with a link of course. They’ve also been reported to have called employees, which seems legit as they appear to be within the same organization and have your name and your area of work. Social sites make it easy to source that information using scraping tools on LinkedIn or other sites. They can gain data such as employees titles, organizational structure, known contacts, and even technologies your company utilizes.
Cyber intelligence expert Tom Kellermann (VMWare Carbon Black) advises practicing what he calls “digital distancing,” which means employees should keep their work computer attached to a router and network that is separate from their home router. This dedicated work router needs to be updated and protected.
Be your own defense system. Hackers and attackers know the easiest way to get into your systems is through you. Be cautious about emails who’s address (when you hover over it) is not legitimate. Don’t open links that are sent with urgency.
“Your package is waiting for you to respond for delivery, your bank needs to verify an online deposit now, your child’s school online course requires a parent verification.” Yes, cyber criminals a targeting those who now need to support their kids on-line learning and are using fraudulent sites that emulate public education systems. Don’t buy into the urgency associated with the scams.
Banks are not calling to discuss the government plans for stimulus cheques and sending unsolicited emails seeking your private information in order to send you money. Check their legitimate websites, login to your own online banking or call the number on your bank card to verify their offerings and current support initiatives.
With subsidies and payment deferral offers there are millions of people looking for much needed assistance, but again utility companies are being mimicked and homeowners are supplying personal information thinking they are applying for the payment deferral program. Remember, your service providers already know your personal information and they never ask for banking and payment information over the phone or via e-mail.
Even your children’s school and post secondary institutions are being targeted. Knowing that parents are expecting online programs, courses, and communications from schools and school boards, people are being sent phishing e-mails to infiltrate your private information using the new-normal necessity to help educate your kids. Verify that the e-mail is from the school and that the online education tool is approved by the school board to avoid downloading a virus disguised as a curriculum.
The fraudsters are not just looking to break into your workstreams either. While in isolation a large majority of people are enjoying an evening in, on social media or entertainment providers like Netflix or Disney Plus. So, it’s no surprise scammers are targeting those platforms too.
Precautions you can take
As you work from home, using your home computer and logging into your work accounts, are you guilty of using the same password for every site personally and professionally? If so, you’re an easy target. Sure, coming up with several unique passwords that you’ll actually recall is a pain. Have you ever lost your wallet and needed to cancel cards, have cards reissued and prove that it’s you? Well a data breach is worse and more time consuming to recover from. Try using a password manager, which is a specialized program that stores all your unique passwords securely in an encrypted format. Vary it up so that if one account is compromised your other devices and accounts are still safe.
A simple and important step is to enable multi-factor authentication. It uses your password but also adds a second step, such as entering a code sent to your smartphone or from an app that generates the code for you and you simply approve.
When you are deep into work-mode and those update reminders pop up it’s easy to dismiss the command. However cyber attackers are always looking for that easy way in and not updating computers, devices, programs, and apps with the latest versions of software opens those backdoors. When hackers find those vulnerabilities, rest assured they will exploit them and get into your devices using special programs. Updates are just the software companies’ way of trying to keep up with holes that hackers target…and yes, it’s an endless loop so stay vigilant. A simple way to keep up is to enable automatic updates whenever possible and this applies to nearly all technology connected to a network, including internet-connected TVs, baby monitors, security cameras, home routers, gaming consoles, and even your car.
Another setting on most operating systems and mobile devices is to enable automatic backups for your important information. You can backup to an external drive or to the cloud. If not automatic, do this on a regular basis, it’s recommended that you simply backup at the end of every day once you have saved and closed all programs. To ensure you’re covered it’s best to have an off-site cloud storage service and on-site network storage.
There are many factors that are in play for being prey. We are embarking on a remote workforce that to many came quickly and perhaps were not prepared with security measures. Add a society eager for rapidly evolving information on health, education, and politics and you’ve opened up the door for virtual opportunists. Be hyper-vigilant during these times as cyber attackers are targeting people’s fears, vulnerabilities, and uncertainties.
Remember, take precautions as you are the best defence against these criminals.
If you think you are being scammed, report it to the organization who is being impersonated. This can help prevent other people from being victimized. The Canadian Anti-Fraud Centre has compiled a list of the reported scams under the COVID -19 guise.
At Levvel we’ve always been a remote workforce and have had cyber security measures in place to protect ourselves the best we can. Here’s a recap of tips to implement:
- Delete sensitive personal and business information when it is no longer needed off your device
- Review how to identify a possible email risk ([Stay Safe Online])(https://staysafeonline.org/blog/5-ways-spot-phishing-emails/)
- Set up multi-factor authentication
- Use the organizations VPN (if they have one) which can monitor abnormal behaviour
- Use a passphrase manager on all workstations and devices
- Install anti-spam, anti-spyware, and anti-virus software on your computer
- If you have the luxury of having one system for work and one personal computer be consistent in using the business one for work only (and tell your family not to use it)
- If you suspect a phishing scam, communicate with your colleagues to see if they too have received the same, and report it to IT
Just a reminder from Levvel to help you stay physically healthy and cyber safe.
~Cherene Kambeitz- Marketing & Communications Director, Levvel Inc.
Reach out to Connect@levvel.ca