Teleworking and Phishing: Adopt Best Practices

Could remote work become another avenue for phishing attacks?

While, for many reasons, most employees view remote work as a positive experience, most IT managers fear the cyberattacks that threaten their organizations. Indeed, remote work means that users are working in an IT environment where their teams cannot control the level of security (if any exists at all!). This is, quite rightly, a cause for concern. Especially since ensuring the security of the information system remains one of the IT manager’s core responsibilities.

As we know, a poorly managed shift to remote work can present a real opportunity for cybercriminals. According to CESIN,phishing is the leading vector for major cyberattacks. The recent COVID-19 crisis has shown us this: the number of phishing attacks has increased exponentially during this period. Without scruples, cybercriminals have taken advantage of this “opportunity” to exploit security vulnerabilities and human errors.

A 667% surge in phishing emails

The cybersecurity firm Barracuda Networks reported in March
“a 667% surge … in targeted phishing emails
exploiting the Covid-19 pandemic to try to capitalize on users’ fears.”
(source:Le Monde Informatique)

These phishing emails are riddled with fraudulent attachments or links. When a user clicks on them—even accidentally—malware (such as ransomware ora Trojan horse) infiltrates the organization’s IT system. This ransomware can also steal confidential data such as:

• your password;
• your login credentials;
• your contact information;
• confidential data…

Cybercriminals may also make an unusual request for money. For example,targeted phishingtechniquessuch as “CEO fraud,”which involves impersonating a trusted third party (a colleague, manager, etc.) or posing as a “reliable” source (a supplier, government agency, bank, etc.).

For example, in:

• offering you a refund for an overpayment;
• alerting you to a so-called “technical security issue”;
• asking you to “update your contact information”.

How can you avoid phishing scams while working from home?

Nevertheless, by adopting the right habits to avoid phishing scams, remote work can be implemented safely. To do so, users must follow several basic principles that any savvy IT manager is familiar with:

• Keep business and personal use separate, particularly business email and personal email;
• Be wary of emails that are surprising, unexpected, alarming, or urgent…
• Avoid relying solely on the sender’s email address: if in doubt, contact the sender directly by phone;
• Do not click on the links in these types of emails;
• Do not open attachments without first confirming with the sender that they are safe;
• Check the URL of the links by hovering your mouse over them without clicking on them;
• Stay curious by conducting your own research;
• Never provide any information that a sender should not be asking the user for;
• Change your email passwords (and passwords for other accounts) as soon as you suspect you’ve been hacked;
• Use a different password for each account;
• Avoid connecting to public Wi-Fi networks, which are rarely secure;
• Use a secure Wi-Fi network;
• Don't do anything while working from home that you wouldn't do at the office.

Securing Remote Work for IT Managers

Develop and distribute an IT security policy that includes the following guidelines regarding email management:

• Prohibit the sending of work-related emails through personal email accounts and vice versa;
• Raise your users’ awareness of cybersecurity, particularly regarding best practices for using their email. After all, technical safeguards alone are never 100% effective if users do not adopt the right cybersecurity habits;