Published on April 13th, 2020 📆 | 5470 Views ⚑
0Remote security: 5 common myths about phishing scams
Scammers will always try to capitalize on a crisis, and the COVID-19 pandemic is no exception.
Government agencies, security firms, and other organizations have been regularly issuing warnings about various online threats related to the public health crisis. They include a rise in phishing attacks that use COVID-19 â and related topics like medical supplies or government financial assistance â to attempt to dupe people into sharing login credentials, sending money, installing malware, and other mistakes. Plenty of âclassicâ phishing attacks are increasing too, targeting stressed, time-pressed people.
Phishing scams work. That's particularly true in a crisis.
âIn both the U.S. and UK, we are seeing a huge increase of scam emails offering quick access to government money, as well as cold-calling tactics where people get tricked into passing over bank account details in order to receive payments,â says Laurence Pitt, global security strategy director at Juniper Networks.
Thereâs a reason why malicious actors continue to use this seemingly tired, old tactic: Phishing works. Thatâs particularly true in a crisis. Cybercriminals are essentially betting that the anxiety and turmoil that so many people are currently experiencing will make them more likely to fall for the con. Add in large segments of the workforce suddenly and unexpectedly working from home â and relying on email, Slack, videoconferencing, and other digital communication tools more than ever â and you have a security tempest on the horizon.
[ How do containers help manage risk? Get the whitepaper:Â Ten Layers of Container Security. ]
5 phishing myths, busted
This is all compounded by a false sense of security among many of us. Phishing has been around forever, and most of us think we can spot a scam email or robocall with little effort. That is the first of five critical misconceptions about phishing that weâre here to debunk â with expert help from IT leaders and security pros.
Myth 1: Only rubes and noobs fall for phishing scams
This isnât true even in normal conditions â and current conditions are anything but normal.
"We regularly succeed in carrying out a staged phishing attack, even when targeting IT, InfoSec, and senior management."
âThe biggest misconception about phishing attacks is that tech-savvy users wonât fall for it,â says Matt Wilson, chief information security advisor at BTB Security. âWhen working with organizations and testing their security posture, we regularly succeed in carrying out a staged phishing attack, even when targeting IT, InfoSec, and senior management.â
The related misconception here is that all phishing attacks are obvious. Thatâs not true, either.
âMany phishing emails look exactly the same as a normal email from the relevant party,â Mike Bursell, Red Hat's chief security architect, noted recently. âTo be clear, it is impossible for anyone, even an expert, to ascertain at first look whether a polished and sophisticated phishing email is genuine or not. There are ways to tell, if youâre an expert, by looking in more detail at the actual details of the email, but most people will not be able to tell.â He notes that he has nearly been caught recently, as have his family members.
Moreover, phishing attacks have become increasingly targeted to their individual recipients, making them harder to detect than most people expect.
âAttackers are increasingly mining data available via social media to tune their messaging and increase the chance of someone clicking on their malicious link,â Wilson says.
Pitt points out that even the practice of hovering over a link to see if the underlying URL looks valid isnât foolproof: His team has noticed an increase in the use of obfuscated links that appear legitimate but then redirect to a malicious site.
Even before COVID-19, CIO Jason James of NetHealth became a fan of frequent, specific phishing training for users - including, and especially, he says, C-suite executives. âSecurity awareness must be frequently tested to determine effectiveness,â he notes. âUse your security awareness solutions to create phishing attacks that are specific and relevant to your users, similar to how hackers could target your user base.â If it is tax season, send users a link for them to download their W-2 forms, he says. If a longstanding team member is retiring, create a LinkedIn request.
âI have been called sneaky or even mean because of some of the phishing tests I have created,â James notes, âbut seeing a decline in successful internal phishing attempts reinforces why I must continue to test and reinforce awareness.â For more advice from James, read How to fight deepfakes and ransomware: Better security training.
Myth 2: This is the same old phishing threat
When work and life have been upended, people may be more likely to open emails, click links, or download attachments that appear to be from a trusted source.
Again, these are not normal times. Even an apparently obvious phishing attempt â like the email with the subject line âAttractive prices for surgical mask in stockâ that recently landed in my spam folder â can fool people in times of crisis. When their work and life in general has been upended, people may become more likely to open emails, click links, or download attachments that appear to be from a trusted source. Distraction is high.
âThis is what the bad guys are relying on,â Pitt says. âItâs why these types of emails very often arrive at 3Â p.m. on a Friday when people are getting ready for the weekend and therefore more likely to click first and think later.â
While phishing has been around forever, a âsame olâ, same olââ attitude is misguided. Abnormal conditions create abnormal risks.
âIn a controlled environment with no stress, most people would laugh at the thought of their superior asking them to send a $1,000 worth of gift cards to them right away to save a big deal,â says Jerry Gamblin, principal security engineer at Kenna Security, who adds that stress has been shown to lead people to make riskier decisions. âNow, with people at home and worries about job security, people are willing to do things they wouldnât have a few days ago.â
Myth 3: Phishing risks are similar when working from home
Consider how many times a day people are now signing into different platforms and applications, some of them new or with far greater frequency.
With so many people suddenly working from home, phishing-related risks are fundamentally higher. Think about how many messages people are receiving at the moment, including from their employers, schools, and other trusted sources. Consider how many times a day people are now signing into different platforms and applications, some of them probably new or with far greater frequency. And again, consider the outsized levels of stress and distraction people are experiencing. The risk landscape has changed.
âRemote employees need to be extra vigilant for phishing attacks,â says Arun Kothanath, chief security strategist at Clango. âThe rapid proliferation of work-from-home policies driven by COVID-19 creates a potentially serious identity and access management vulnerability, and offers a rare opportunity for bad actors to pose as employees to access critical information by exploiting and profiting from this crisis.â
The sender poses as an IT manager at the personâs employer and preys upon the abrupt transition to remote work.
The type of scam targeting remote workers that Kothanathâs firm is seeing most frequently right now is a phishing campaign where the sender poses as an IT manager (or similar title) at the personâs employer that preys upon the abrupt transition to remote work.
âThe email will typically ask employees to sign in to an online portal using their credentials to ensure they still have access to a business-critical resource [from home],â Kothanath says. âAttackers will capture those credentials and then can move laterally and vertically throughout an organization until they capture the data or access they desire.â
Letâs break down two more phishing myths:
Gloss