How to spot a phishing attack while working from home

"You have won €1 million, just click on the link attached to collect your prize" is an email that should fool no one these days. However, phishing emails, the fraudulent attempt to garner information from the email recipient, has become somewhat more sophisticated in recent years. In fact, Google was blocking about 18 million coronavirus scam emails per day at the start of the pandemic.

In the race to provide employees with the tools and technology to allow them to work from home when lockdown began in March, many businesses may have prioritised productivity over security concerns. However as time goes on, it’s imperative that employees are empowered to spot and report threats such as phishing.

As well as this, employees are more commonly using smartphones and mobile devices for conference calls, the sending and storing of files or tethering. This now makes them an even more valuable potential target for hackers. With the rush to use cloud based applications like Teams and Zoom, how do you ensure privacy for those at home? Some think there has been a slight oversight or relaxation of control in extending the corporate network into people’s living rooms.

"Employees are always the first line of defence when it comes to cybersecurity and this is why awareness of cyber threats is vital in today's landscape, Anthony O'Callaghan, CIO, Carbery Group and chairperson, IT@Cork Skillnet says.

“Threats are evolving constantly and its important employees are aware of what to look out for. The most common threat facing employees come in the form of phishing attacks. These are essentially when someone tries to extract information from you by pretending to be someone trustworthy that you know. The most important step to spot phishing attacks is to take your time when reviewing emails – are you expecting this mail, is the writing style the same as usual, is the email address correct or are links leading to somewhere you wouldn’t expect, among other things,” he says.

In certain cases, employees have been asked to connect to the internet using home broadband services with laptops that were bought off the shelf, Justin Moran, head of governance and security at Three says.

“In other cases, where people used their own device, many businesses had no way of knowing if those devices were running up-to-date operating systems and anti-malware software, which gives rise to increased security risks such as phishing,” he says.

A healthy sense of scepticism is needed around an email that you may not be expecting, Conor Hogan, global privacy practice lead at BSI group says.

“There has been an uptick in the volume of phishing attacks, and it’s nuanced. It’s where people don’t have that sense of scepticism that training is needed and employers should invest in it. The IT department should to be more visible and employees need to feel they can approach IT. Employees may now have to raise a ticket, which makes it’s harder to get in touch with IT. Workers should be encouraged to escalate things if they need to,” he says.

A recent Hiscox Cyber Readiness Report 2020 revealed that 67per cent of cyber claims come from human error. “Often we see that many companies will invest heavily in IT infrastructure, but don’t pay enough heed to adequately training their employees on the common cybersecurity threats to be aware of,” Ciarán Morrissey, cyber development underwriter at Hiscox Ireland

“It might sound simple, but staff training is essential and can help mitigate this risk,” he adds.

They can do this by continuously communicating with their remote workers on the cybersecurity threats and issue clear guidance on information security practices.

"Employers need to ensure their employees are practicing good password hygiene for both personal and business accounts, and by making sure that any device has the necessary updates, such as operating system updates and that software/antivirus updates are using effective access controls such as multi-factor authentication. This asks the user not only to input a password on their laptop but also to verify their identity through an authentication app on their phone. This feature is available on many of the leading productivity suites, including Microsoft and Google," Moran says.

Ensuring any device is used in a safe location, for example where the worker can keep sight of it and that they minimise who else can view the screen, particularly if working with sensitive personal data, is imperative. Lock the device if left unattended and if working without cloud or network access, ensure any locally stored data is adequately backed up in a secure manner.

“Deploy encryption to restrict access to the device, and to reduce the risk if a device is stolen or misplaced. When a device is lost or stolen, take steps immediately to ensure a remote memory wipe, where possible.With the increased usage of smartphone and personal devices, the first step is to deploy a mobile device management tool that ensures the devices have up-to-date applications, so they are not at risk from vulnerabilities in older versions,” Moran adds.

Finally, the employee should consider what information they share about themselves publicly on social media.

“Sophisticated social engineering attacks use many different sources to gather information on potential victims to make the mails seem more realistic,” he says.

One area Hiscox would encourage businesses to pay particular attention to is their Bring your own Device policy (BYOD) which refers to employees using their personal devices to connect to their employees networks, rather than using company provided hardware.

“This is an area where I feel employers need to do more as this does increase the risk of a cyber incident occurring, if not managed effectively. Have a policy to restrict access to employees networks immediately if they leave the company; implement firewalls and antivirus software to ensure endpoint management is monitored and secured; VPN’s should be patched regularly and undergo external penetration testing to identify any potential vulnerabilities and finally promote a no blame culture. If employees think their system has been compromised they should immediately contact their IT team so they can isolate the incident and disconnect the device from the companies network.”