Little did we realise twelve months ago how relevant our previous article was going to be when we wrote about the increased risk associated with remote working. With over 4.3 million people (32% of working Australians) working from home since the start of the COVID-19 pandemic lockdown, we are witnessing a working-from-home revolution. In our previous article we discussed that the blurred boundaries between home and office increase business risks, and inevitably the new norm has put forward new risks for us to confront.
Scams with a new theme
COVID-19 themed attacks are becoming increasingly noticeable and are constantly evolving, as scammers take advantage of the widespread anxiety about the pandemic. Since the start of COVID-19 lockdown there have been more than 4,000 scams reported mentioning the coronavirus, with over $3,283,038 in reported losses. There has been an increase in the amount of fraudulent emails since the COVID-19 crisis, with one in four of individuals reporting an increase in phishing attempts. Criminals are now targeting people in their homes which, in many cases, is now their office too.
The new norm in COVID-19 ways of working widens the gateway for data breaches and increases cyber risks to corporates as employees are seen as a weak link in corporate IT security systems. Both corporates and individuals need to be vigilant with COVID-19 themed fraud and scams. Recent case studies from the Australian Cyber Security Centre (ACSC) provide good examples illustrating what these scams look like:
- Banking themed SMS phishing: On Monday 30 March 2020, 16 instances were reported to ACCC that people received messages from “Westpac” containing links directing recipients to a malicious website that attempts to steal personal information.
- Government officials spoofed in email phishing: On 7 April 2020, an Australian Government department reported that one of its senior employees fell victim to a COVID-19 themed phishing campaign. His email was misused by attackers who sent an attachment with embedded malware that was designed to steal sensitive information including banking usernames and passwords.
- Australian Government impersonation phishing: Cybercriminals are impersonating the Australian Government to individuals and consulting about COVID-19 assistance payments to steal personal information. In this case, people were lured by a “benefit payment”, if they provide identity information.
- Fake cash bonus phishing email: On 3 April 2020, a phishing email was sent to hundreds of staff within a large Australian company from their Payroll Admin department, notifying employees of a $1,000 benefit payment to be delivered in the March payroll, with a link to register. The link was found to contain malicious software, designed to be installed onto the company’s corporate network environment.
- COVID-19 testing themed phishing: ACSC received various reports about malicious emails and texts which provides test and information on COVID-19 from seemingly trusted sources such as WHO or Government, but contain malicious attachment or links.
- IT service scams: An increasing number of instances were reported that scammers are pretending to be an employer’s IT help desk, telco companies, or even ACSC, requesting people to log into a new portal or to “fix an issue”. Recipients who click on the link are directed to a malicious website for cybercriminals to gain unauthorised access to the company’s corporate networks.
How to protect ourselves in the new norm?
We have previously discussed using company issued equipment, encryption, endpoint management and education as key areas of focus for reducing risk in a remote working environment. After six months of COVID-19 enforced remote working, those of you who followed those steps would have been held in good stead, and these recommendations hold true today. However, if you are only now turning your mind to protecting your business and your customers’ data, there are still some quick wins that you can achieve by following the below framework:
- Identify critical systems and data (particularly sensitive data). Assess the risks and impacts should an incident occur;
- Protect the areas of high risk and impact first, through cyber awareness training that is tailored to roles and systems, enforcing multi factor authentication on any system accessible via the internet, and encrypting data wherever it is stored or transmitted;
- Detect any anomalies that occur in your environment by using tools already at your fingertips, such as Microsoft365’s Security & Compliance Centre, deploying an endpoint monitoring system that uses AI to warn about changes in behaviour;
- Respond to incidents quickly and efficiently, by preparing an incident response plan in advance and ensuring you have the expertise you need to deal with an incident either in house or on retainer; and
- Recover from incidents by devising a recovery plan in advance, making sure adequate backups of systems and data exist, and improving using lessons learnt.
The level of detail and effort you will need to apply to each of these areas will vary depending on the size and complexity of your organisation. The COVID-19 pandemic introduces new forms of cyber threats, therefore protecting ourselves from data breaches and minimising risk requires more attention and control from both organisations and individuals, to ensure we are safe to work online.