As the COVID-19 pandemic continues to unfold, we are all being forced to adjust our new daily routines, and this includes cybercriminals. Since the start of the crisis, security teams are reporting an overall rise in all types of cyberattacks, ranging from phishing, account takeovers, and even activating long-dormant ransomware attacks. Keeping in mind that we are long passed Nigerian princes, read on for insights on protecting your company from the spate of highly-targeted “phishing” attacks driven by the current crisis.
Phishing is the fraudulent practice of sending e-mails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. As the law firm Dentons recently learned, phishing attacks can be costly.
$2.5 Million Gone in a Flash
During the course of a real estate transaction, an associate at Dentons’ Canadian arm wired $2.5 million of a client’s money to a Hong Kong bank account. Cybercriminals had set up the account, and induced the associate to send the funds by pretending to be employees of a legitimate mortgage company.
These days, phishing attacks are likely to be specifically targeted and sophisticatedly designed. The consequences can be severe, especially since there is no easy way to retrieve the stolen money. For example, companies cannot ask employees who are duped by phishing scams to pay back their employer.
Urgent E-Mails—Be Careful
There are steps you can take to reduce the likelihood of your company falling victim to a costly cyberattack. First, be especially aware of urgent e-mails. Cybercriminals like to use “urgent” requests for personal information to create a sense of panic in the recipients that they have a deadline to meet. Their panic may cause them to skip past carefully reading the e-mail’s contents.
Phishing attacks have become more difficult to detect as cybercriminals impersonate trusted institutions such as banks, employee HR portals, or a frequented account like Amazon. At quick glance, the e-mails may seem legitimate, but look closer, and you will find a discrepancy.
Cybercriminals may set up an e-mail address that appears to be from a reputable institution, but closer inspection reveals it is fraudulent. For example, the fraudster might have an e-mail address of firstname.lastname@example.org instead of email@example.com. Upon receiving an “urgent” e-mail, an employee may be too rushed to notice the e-mail spelling is incorrect and thus a fake.
Companies should promote careful e-mail practices to avoid being scammed. Taking an extra 30 seconds to look carefully at an “urgent” e-mail request might save your firm millions. Employees also should get in the practice of making quick confirmation phone calls to supposed senders of suspicious e-mails, just to make sure they’re who they say they are.
Read E-Mail Text Carefully
One popular phishing tactic is to impersonate a corporate official and “accidentally” send out a spreadsheet that purports to contain sensitive information, such as employees’ salary details. If an employee receives an e-mail he knows he should not have received, it should set off alarm bells. The “spreadsheet” may in fact be a malware delivery vehicle that can compromise the firm’s security software.
Companywide training can help to prevent attacks from being successful. Employees should be told about the most common tactics cybercriminals use, and protocols should be implemented in the case of a mistake. In an age of ever-increasing sophistication from online fraudsters, special care is needed from all employees, especially regarding e-mail habits and practices.
Experts also have recommended using anti-impersonation technology and sender reputation scoring to monitor e-mail in boxes and ensure cybercriminals’ attempts at fraud aren’t successful. Secure messaging, technical antiphishing devices, and core security controls such as multifactor authentication and password managers can help as well. While all of this may seem like overkill, the safeguards might just save your firm in the long run.
|Jacob M. Monty—the managing partner of Monty & Ramirez, LLP and editor of Texas Employment Law Letter—practices at the intersection of immigration and labor law. He can be reached at firstname.lastname@example.org.|