The heightened fear and anxiety that COVID-19 is causing people worldwide brings vulnerable targets for cyber hackers, says David Simpson, a professor at the Pamplin College of Business at Virginia Tech.
"We are living in a heightened time of cyber risk. Cyber criminals will take advantage of public fear and due diligence health measures to generate coronavirus themed phishing attacks. We should be aware of unsolicited COVID-19 emails with specious links or attachments," says Simpson, a retired U.S. Navy admiral who previously served as chief of the Federal Communications Commission's Public Safety and Homeland Security Bureau.
In addition to scams that prey on people's fear — the uncertainty and doubt regarding their own health — Simpson explains that the increased utilization of voice, video, and data to replace in-person contact will open new threat vectors.
As many organizations shift to remote work environments, Simpson offers the following tips to avoid online scams.
- Employees working from home for the first time will potentially use PCs, laptops, tablets, and smartphones that are not protected to the same level as workplace devices. Consider using additional risk reduction measures like document and file encryption, VPNs, regular scanning, and other best practices to lower the potential for business intellectual property or financial theft.
- The use of company credit cards to replace more rigorous financial office processes can expose business accounts. Employers should work with their banks and credit card companies to reduce exposure and limit potential losses should an ad-hoc process compromise account information.
- Time and attendance programs for employees that don't normally work from home are commonly exploited. Employees want to and think they are doing the right thing to document their time, but they can be directed to a false site and ultimately fooled into sharing credentials that incrementally lead to more sensitive accounts.
- Increased network traffic from massive telework can lead to network disruptions. Employee attempts at workarounds can incorrectly set up VPNs or not recognize traffic re-direct attacks. Distributed denial of service attacks can not only shutdown work functions but can also lead to less secure workarounds.
- Companies should take steps to ensure their employees know where to call when suspicious events occur, staff up to handle non-standard help desk issues and err on the side of caution for IT environments they have little control over.
- Organizations that were used to getting 'in-person' permission to do something are now implementing new approval processes that could be susceptible to man-in-the-middle attacks. They should be thinking about multi-factor authentication for newly established ad-hoc practices.