Think very carefully before clicking on a tempting link purporting to be from the World Health Organization (WHO), or similar, with positive information about the cure for COVID-19. Chances are it’ll be a hacker preying on your understandable anxiety about the coronavirus pandemic.
In haste to uncover the supposed good news you could inadvertently reveal personal and professional secrets. Indeed, in these strange times, when it comes to cybersecurity, it’s worth stopping and asking yourself: “WHO – can you trust?”
As millions of us scramble to make sense of this black swan event, and home-working becomes the new normal, criminals are seeking to capitalise on the widespread panic – and succeeding, alas. New coronavirus-themed phishing scams are leveraging fear, hooking vulnerable people and taking advantage of workplace disruption.
Data from artificial intelligence endpoint security platform SentinelOne shows that from February 23 to March 16 there was an upward trend of attempted attacks with peaks at 145 threats per 1,000 endpoints, compared to 30 or 37 at the start of that period.
“The most effective phishing attacks play on emotions and concerns, and that coupled with the thirst for urgent information around coronavirus makes these messages hard to resist,” says Luke Vile, a cybersecurity expert at PA Consulting. “Societally, we’ve never experienced this situation before, so all rules are off in terms of how people behave. While there is an intense urge to react to good news, it is risky.”
Bad actors cashing in on COVID-19
In the UK alone, victims lost over £800,000 to coronavirus scams in February, reports the National Fraud Intelligence Bureau. One unlucky person in particular was left £15,000 lighter after buying face masks that never arrived. Who would confidently guess at the March figure?
Banking trojan malware is masquerading as a WHO-developed mobile application helping individuals recover, or virtual private network (VPN) installers. And consider that Check Point research shows some 4,000 COVID-19 domains have been registered this year, many likely fronts for cybercrime.
“So-called ‘scareware’ will only ramp up as uncertainty rises and online searches increase as people seek information about the outbreak and solutions,” predicts Terry Greer-King, vice president of Europe, Middle East and Africa at California-headquartered cyber organisation SonicWall. “In 2019, malware and ransomware took a fall, 6 per cent and 9 per cent respectively. Now they are coming back because of the global health crisis.”
Proofpoint senior director Sherrod DeGrippo notes that cybercriminals have “sent waves of emails that have ranged from a dozen to over 200,000 at a time”, and the number of campaigns is “trending upwards”. He says: “The COVID-19 lures we’ve observed are truly social engineering at scale.
“They know people are looking for safety information and are more likely to click on potentially malicious links or download attachments. Approximately 70 per cent of the emails Proofpoint’s threat team has uncovered deliver malware and a further 30 per cent aim to steal the victim’s credentials.”
Cyber homework for home-working
Dave Waterson, chief executive of SentryBay, a UK-based company specialising in software to protect applications and endpoints, notes that COVID-19-infected bodily fluids are selling for just $1,000 (£850) on the Dark Web. He forecasts that cyberattacks will rise by “up to 40 per cent” during the COVID-19 pandemic.
As working from home becomes more predominant he warns: “It is down to organisations to ensure any endpoint that an employee is using is fully protected. And as the Absolute 2019 Global Endpoint Security Trend Report showed, 42 per cent of endpoints are unprotected at any given time.”
Worryingly, Apricorn research published last year found that one third of IT decision-makers admitted their organisations had suffered a data breach as a result of remote working. Further, 50 per cent were unable to guarantee that their data was adequately secured when being used by remote workers.
The surge in virtual conferencing and other collaboration tools could expose more vulnerabilities for hackers to exploit. “Companies quickly adopting consumer-grade video conferencing can make it easy for an attacker to pretend to be a member of staff,” points out Elliott Thompson, principal cybersecurity consultant at SureCloud. “The industry is going to have to be dynamic and responsive on this front – as we always try to be.”
What, then, can businesses and their workers do to shore up their cybersecurity? The government’s National Cyber Security Centre published a home-working guide earlier this week that offers tips for organisations introducing home-working as well as highlighting the telltale signs of phishing emails.
Robert Krug, the network security architect for antivirus software giant Avast, offers more evocative advice. “Computer viruses can spread just as easily as human viruses,” he says. “Just as you would avoid touching objects and surfaces that are not clean, so should you avoid opening emails from unknown parties or visiting untrusted websites.
“In short, the same steps that one takes to ensure they don’t get sick should be translated into steps that keep devices and networks secure. You may use hand sanitiser to remove germs from your hands, and you should have an effective antivirus solution to keep germs off your computers and networks.”
You have been warned.
Embrace quick and inexpensive wins
“Enable multi-factor authentication wherever possible, adding another layer of security to any apps you use,” says Jeremy Hendy, head of Skurio. “Additionally, a password manager can help avoid risky behaviour such as saving or sharing credentials. Both types of products offer cost-effective solutions for organisations.”
Roy Reynolds, technical director at Vodat International, says: “Having a VPN solution, which sits on the PC, laptop, or mobile device and creates an encrypted network connection, should be encouraged. A VPN makes it safe for the worker to access IT resources within the organisation and elsewhere on the internet.”
Update cybersecurity for home-working
“Does your current cybersecurity policy include remote working?” asks Zeki Turedi, technology strategist at CrowdStrike. “Ensure the policy is adequate as your organisation transitions to having more people outside the office. They need to include remote-working access management, the use of personal devices, and updated data privacy considerations for employee access to documents and other information.”
Only use work devices
“Communicate with colleagues using IT equipment provided by employers,” warns Luke Vile of PA Consulting. “There is often a range of software installed in the background of company IT that keeps people secure. If a security incident took place on an employee’s personal device, the organisation – and the employee – may not be fully protected.”
Tighten up network access
Daniel Milnes, an information lawyer at Forbes Solicitors, says: “Without the right security, personal devices used to access work networks can leave businesses vulnerable to hacking. If information is leaked or breached through a personal device, the company will be deemed liable.”