Information security for the new normal. 1 Phishing

April 30, 2020

5 minute read

This is the first of three blogs to highlight the main current and continuing risks and offer some straightforward preventive and mitigating actions.

Cyber criminals have upped their activity

Yes, it’s a fact that cyber criminals have increased some of their activities, such as phishing, in order to exploit information security vulnerabilities that have resulted from the Covid-19 crisis and subsequent home working.

What is phishing?

Phishing emails are designed to look realistic and important, so that you will click on a link that will enable your details to be read and stored in a remote computer. Such details could include personal information, password, bank details and even full log-in information. These phoney but convincing messages are always a threat, but at this time they are even more prevalent, designed to play into our fears and susceptibilities around the coronavirus and looking more plausible than ever.

Be extra vigilant

Please, everyone, be extra vigilant about any email that purports to be offering help with Covid-19, even if it looks as if it comes from our government, the WHO or even your boss. Any ‘call to action’ within an email that requires you to click on a link, a picture, or a video that ‘must’ be viewed should initially be viewed with suspicion. This especially applies if the email fufills any of these conditions set out by our government:

  • Authority – Is the sender claiming to be someone official (like your bank, doctor, a solicitor, government department or your line manager)? Criminals often pretend to be important people or organisations to trick you into doing what they want – including using the names of real people in your organisation.
  • Urgency – Are you told you have a limited time to respond (like in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.
  • Emotion – Does the message make you panic, fearful, hopeful or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.
  • Scarcity – Is the message offering something in short supply (like tickets, PPE, money or a cure)? Fear of missing out on a good deal or opportunity can make you respond quickly.

Don’t forget

Remember, while coronavirus will be the subject line for many of these phishing emails, other emails will continue to promise you tax rebates and other incentives. Be very aware of emails connected to invoicing. We are all subject to human frailty – the cyber criminals know this and exploit it. Finally, please remember that phishing can also happen via text messages on your phone.

Prevent and mitigate

You may be lucky enough to have a super efficient IT department that is able to manage the security levels for all your home workers’ laptops and phones. Lucky you, but if not:

  • If you are able to, check and adjust your own spam settings
  • Block any websites/email addresses that have tried to spam you previously
  • Stop reading email on your phone – the smaller screen makes it harder to spot any small inconsistency that would raise your suspicions
  • STOP AND THINK before clicking any link in any email – check out the identity of the sender.

Report and learn

If you do inadvertently respond to a call to action in a phishing email (it has happened to the best of us!), then please:

  • Report the incident to your information security/IT officer
  • If the sender was pretending to be, say, HMRC or your bank, report the incident to that organisation. Banks in particular need to know
  • Change your passwords – and, if you don’t already do so, look into using a password manager that will store your log-ins safely. (Please note those readers who work for local authorities may have other arrangements for email security set by their IT/info sec department.)
  • Run a security scan of your device. This will detect any malware that has been maliciously planted.

Take-away message

Don’t feel bad, we all make mistakes and information security is partly about learning from those mistakes to make a safer cyber world!