We’ve been predicting it, and feeling it, but now the numbers are in. Officially, cybersecurity attacks have increased significantly since the start of the COVID-19 crisis – in particular the lockdown.
What Tipped Us Off – It Fits the Patterns of the Cybercriminal Playbook
First, it’s important to understand that cybercriminals are opportunists. If a critical flaw or vulnerability is found in a popular piece of software, they try to take advantage of it before the entire world updates the software. This is called a zero-day attack.
On the other hand, if they can profit without needing to develop malware or other software (that can take time and money to produce), they will. We see this a lot with phishing attacks. There is nothing revolutionary about a phishing attack. It’s not difficult to spoof an email to try to trick somebody. The fact that it works so well is why it is one of the most prominent and dangerous types of attacks targeting businesses today.
Cybercriminals have been known to take advantage of chaotic situations. Just look at how most phishing attacks work – the messaging sounds urgent, often claiming that if the user doesn’t take action right away, they will lose money or access to their account. A lot of phishing attacks claim that an account is being hacked or compromised, which then leads the user to get tricked, which then leads them to actually get compromised.
Remember when fake antivirus software was a huge emerging problem? Websites would beep at you and pop ups would come up saying that your computer is at risk and viruses were detected on your computer. It would have you install a fake antivirus application that then either demanded money or simply infected your computer even more.
We saw it happen in 2014 with the Ebola crisis. Cybercriminals sent out spam emails offering Ebola virus safety tips that turned out to be malware.
It’s going to be an ongoing trend – when the general public is undergoing an event that causes any kind of anxiety or stress, there will be a cyberthreat to go along with it. It’s a new fact of life, and we all need to live with it, understand it, and not let it trick us.
How Cybercriminals are Exploiting Businesses During the Pandemic
Let’s be honest, we’ve been talking about the COVID-19 pandemic pretty regularly in our blog. The entire world has been talking about it. This has been an event, to say the least. We’ll all be telling our grandkids about that time we all had to stay inside, and how for a while, it was impossible to buy toilet paper. We’ve yet to see how the pandemic ends – we’re still living in it. It’s been stressful. It’s become a political hotpoint. It’s exhausting and we’re all just trying to work through it. For many, the strong threads that keep everything normal and keep us alert and diligent have worn down and frayed a little bit from this whole ordeal.
It’s pretty safe to say that many people have their guard down, when it comes to cybersecurity. They are worried about their jobs, worried about getting a new job, worried about their kids, worried about their parents, worried about the economy. You get the idea.
With all that anxiety, it’s much easier to let your guard down. I’m not just talking about you – reading an article about cybersecurity shows that you are still thinking about it, and we’re really glad. I’m talking about all of your co-workers, all of your employees, and, if your staff is working from home on personal devices, all of their family members.
Some cybersecurity experts are recording a 260% rise in cyberattacks since the beginning of the pandemic. These attacks are, in a small part, due to less strict security on home computers for remote workers, but it’s primarily due to more aggressive phishing attacks and other scams around COVID-19. These phishing attacks include offers for face masks, tests, or other scams that lead to malware or the theft of sensitive information.
Other threats include fake banking apps (more and more people are doing their banking from home, which means it’s another vector to exploit), sextortion scams (ransom emails claiming that the hacker stole browser history or webcam footage while the user was visiting questionable websites), and other ways to defraud or otherwise infect a user’s PC.
It’s Time to Stop Thinking Cybersecurity is Just a Technology Issue
A business needs strong cybersecurity measures. That includes a solid backup solution, firewalls, centralized antivirus, encryption, network/user policies, mobile device strategies, VPNs, and other technological solutions that will prevent threats from getting in and sensitive data from getting out. That said, it only takes a single user to cause the whole system to crumble. One weak or leaked password, one hijacked email account, or one backdoor left open can defeat the purpose of all of your security.
It’s more critical than ever to do cybersecurity hygiene checks with your entire staff, and show them the importance of protecting themselves online. There are huge repercussions at stake, and education is going to be a critical tool to keeping your business safe.
For starters, share this guide with your staff:
How to Spot a Phishing Attack
Phishing attacks are fake emails sent by cybercriminals designed to look like real, legitimate emails. It’s possible that you could get phishing attacks in your work email, your personal email, and even on social media, text messages, and other forms of communication.
Phishing emails are one of the most common threats to businesses today. Phishing emails usually sound very urgent, in order to get you to act quickly without thinking (they get your guard down)! Here are some ways to spot a phishing attack:
- Carefully hover (don’t click!) over links and see if they go to a legitimate URL. If the email is from Paypal, a link should lead back to paypal.com or accounts.paypal.com. If there is anything strange between ‘paypal’ and the ‘.com’ then something is suspicious. There should also be a forward slash (/) after the .com. If the URL was something like paypal.com.mailru382.co/something, then you are being spoofed. Everyone handles their domains a little differently, but use this as a general rule of thumb:
- a. paypal.com – Safe
- b. paypal.com/activatecard – Safe
- c. business.paypal.com – Safe
- d. business.paypal.com/retail – Safe
- e. paypal.com.activatecard.net – Suspicious! (notice the dot immediately after Paypal’s domain name)
- f. paypal.com.activatecard.net/secure – Suspicious!
- g. paypal.com/activatecard/tinyurl.com/retail – Suspicious! Don’t trust dots after the domain!
- Check the email in the header. An email from Amazon wouldn’t come in as email@example.com. Do a quick Google search for the email address to see if it is legitimate.
- Always be careful opening attachments. If there is an attachment or link on the email, be extra cautious.
- Be skeptical of password alerts. If the email mentions passwords, such as “your password has been stolen,” be suspicious.
We hope everyone continues to remain safe and productive. If you have any questions, or need any assistance with your cybersecurity, or just want to do an overall health check for your business, don’t hesitate to give us a call at (610) 828- 5500.