With governments around the world having to intervene to curtail non-essential travel and social gathering to minimize the spread of COVID-19, more of us than ever are now working from home. While for many working from home isn’t new, the scale of this shift, combined with the suddenness with which it was required, seems to have heightened the risk of cyber-attacks.
The International Compliance Association (ICA) is a professional membership and awarding body. ICA is the leading global provider of professional, certificated qualifications in anti-money laundering; governance, risk, and compliance; and financial crime prevention. ICA members are recognized globally for their commitment to best compliance practice and an enhanced professional reputation. To find out more, visit the ICA website.
As recently seen in Italy, cyber-criminals are making attempts to test the cyber-security of those now working from home. Whether that’s through phishing emails or taking advantage of weaknesses in software or Internet connections, the risks posed by these attacks should be taken seriously. Below, we’ve collated some ways to help defend yourself and your business from these potential threats.
1. Be careful when downloading software
If you need to use your own computer for working from home during this time, you might find yourself missing some of the applications needed to complete your work. However, downloading this software independently can heighten the risk to you and your business. Fake software download files are a favorite criminal method for tricking people into downloading malware. Instead, contact your IT department to ask them for help getting set up, as they may have a list of recommended download locations or ways to provide you with safe access. While it may take a little longer to get access if they are experiencing high demand, this is preferable to accidentally downloading malicious files and giving cyber-criminals easy access to your data, both personal and professional.
2. Protect your devices
Whether you are using your own device or one issued by your employer, make sure to be sensible with it and keep it digitally and physically safe. Make sure there is an active antivirus in place to protect against viruses and malware. Use a secure Internet connection to protect your online activity and keep work laptops and phones safely hidden away when not in use.
3. Treat any unexpected email with a healthy level of suspicion
Receiving emails from businesses you recognize might make you feel safe in opening them. But we should remember that cyber-criminals use templates from credible sources as a way of tricking people into clicking links to malware-delivering websites, ones designed to encourage you to make a payment or reveal login details. Emails were recently sent, for instance, from an account claiming to be from the World Health Organization asking for help funding research into a coronavirus vaccine. Other examples include emails purporting to be from banks or websites like PayPal, warning of possible breaches and asking you to log in to your account via a link provided in the email. Thankfully, there are multiple ways of checking their authenticity.
- Take a moment to check the origin and the email’s content. These attacks often come from email addresses that are spelled or formatted slightly differently to legitimate accounts (e.g., using “.org” instead of “.co.uk”). Others may be recognized by their poor spelling, grammar, or formatting in the body of the email.
- Take a moment to consider why the company would be contacting you if you are not already subscribed to its content or otherwise have given it your email address in the past. If you have never received an email from this company before, why (and how) would it have your contact details now?
If in any doubt, come away from the email and access the Website in question through your browser rather than opening any links it provides.
4. Report any suspicious emails or links
If you see or receive something that doesn’t look right, report it. If what you suspect is a phishing email is sent to your work email address, contact your IT team (use a specific inbox for phishing emails if they have one in operation) and make them aware of it, and check if they want you to forward it for investigation. This may help them improve defenses against this type of attack in the future or raise awareness in the business to be on the lookout for this type of email.
Consider forwarding them to authorities outside of your business, too. The National Cyber Security Centre (NCSC) has launched a “Cyber Aware” campaign, a main feature of which is its Suspicious Email Reporting Service. This is intended as a way for people to report the numerous phishing scams and fraudulent websites that are designed to capitalize on public worry about the coronavirus pandemic. The NCSC reported receiving 5,000 suspicious emails within 24 hours, which resulted in them shutting down over 80 malicious web campaigns. They are asking people to contact them through email@example.com with information on any suspicious web content so that they can investigate; block scam email addresses; and remove fraudulent websites, as well as raise awareness for more common scamming methods that are being found.
5. Password security
When talking about cyber-security, we can’t omit the importance of a secure password. While it’s a good place to start, just using something including a capital letter, a number, and a special character isn’t enough. Admittedly, it’s easier to remember one password for everything, but this ease can be preyed upon by cyber-criminals. If you are caught out by a scam email directing you to a website that asks you to make an account with your email address and password (or you just try to access a legitimate website that is not secured properly), and you have used those details for other websites, then this is an easy gateway to those other sites. Here are some handy ways to create unique (but memorable) passwords:
- Make one with three words that aren’t obviously connected but that you will be able to remember (e.g., DogTelevisionSkull);
- Abbreviate or shorten each word in a movie/book quote or song lyrics (e.g., YgnabbJ for the quote “You’re gonna need a bigger boat” from “Jaws” (1975); or
- Create your own phonetic alphabet and use it to spell out part of the website you’re using it for (e.g., FabricAppleCanada for Facebook.)
Adding or replacing some of the letters with numbers and special characters will help make these passwords secure and hard to crack for hackers but easier for you to remember.
The important thing to remember is that if you believe you have accessed something that might put your business at risk, it’s better to get in contact with someone who can help than to just hope for the best. Contact your IT team to give them the details and be honest. They may be able to help you and mitigate any risks. If you believe you have made a payment to a fraudulent website, contact Action Fraud immediately through http://www.actionfraud.police.uk/. If you are worried that your email address may be breached, consider using the website https://haveibeenpwned.com/. This allows you to check if any websites in which you’ve used your email have been subject to data breaches.
For more on how to protect against cyber-attacks, see the NSCS’ recommendations.
The International Compliance Association is a sister company to Compliance Week. Both organizations are under the umbrella of Wilmington plc.