Old phishing threats are new again, so keep your guard up

April 13, 2020

This paid piece is sponsored by SDN Communications.

Although people might feel comfortable working from home during the pandemic, they have to remain wary. COVID-19 has given hackers fresh bait for old-fashioned phishing attacks.

The outbreak of the virus probably hasn’t increased the overall threat of phishing; it just has given thieves a new topic to use in attempts to trick people into giving up sensitive information or clicking a bad link, said Chad Pew, manager of IT at SDN Communications.

Pew avoids saying that people who work at home should be extra cautious now because he thinks they should always be cautious. Hackers are always active, and they always are trying to take advantage of trends such as holiday seasons or natural disasters.

“They’re just looking for that attention-grabber where their email is going to get noticed and make people act on it,” Pew said. “That’s why they always switch to the most relevant topic that’s going on in the world.”

That makes COVID-19 kind of the online threat du jour. Granted, it can be an especially compelling topic for phishing attacks because of the anxiety the subject creates.

Regardless of what form phishing takes, security experts agree that it is a major threat to information security. It’s a form of social engineering in which hackers disguise themselves to try to acquire information such as passwords or encourage actions to assist their crime. They often use email, but phone calls are commonly used too.

Hackers like to attack humans because, generally, employees ­­– not machines – are the weakest link in a company’s cybersecurity defense. The best way to combat phishing is to train employees on an ongoing basis to recognize hackers’ tactics, such as urging email recipients to click on a link that could download malware into a network.

Help employees spot a fake

To help train and constantly update its employees about phishing threats, SDN uses a service from the security company KnowBe4. The service regularly but randomly sends a variety of fake emails to SDN employees at all levels. The purpose is to educate the company’s staff, not reprimand those who are tricked into taking a bad action.

Typically, only two or three of roughly 130 employees fail each round of a test. Those who get deceived have to take extra training. If the same employee were to fail month after month, some one-on-one discussion or possibly other action might be in order, Pew said.

Employees who don’t act on a test email and who do flag suspicious messages for review by the IT staff are congratulated.

During normal times, fake emails that appear to come from the human resources department and discuss an employee’s benefits might be difficult for recipients to resist. Now, hackers might try a tactic such as urging home-based workers to provide their credentials so they can be connected the company’s network.

During a recent two-day period, KnowBe4 identified 10 varieties of repurposed phishing emails.

“Although all of these malicious emails strive mightily to be relevant and topical by invoking the COVID-19 crisis in one way or another, they should still look at least vaguely familiar,” warns KnowBe4. “That’s no accident, as most of them are just warmed over or retreaded versions of the same malicious emails that have been plaguing users and IT departments for years.”

Regardless of the action they encourage, fake emails usually can be detected by the recipient. For example, closely examine the sender’s identification. The address might look real, but it might contain unusual characters. Hover the mouse over the sender’s name to see where the message really came from.

Here are prior tips from Pew and other security experts that warrant repeating.

  • Always be cautious. View any email request for personal or company information with suspicion.
  • Look for errors in any unexpected message that calls for action. Phishing emails often contain odd phrasing or poor grammar.
  • Attacks often include threatening language and encourage quick action.
  • Independently verify information in a suspicious email or telephone call. Don’t hesitate to seek advice from a work colleague or manager.
  • Promptly report any mistake you make, such as clicking on a bad link, so that mitigation action can begin, if necessary. Admitting a mistake might be embarrassing but waiting only complicates matters.

Download a trio of cybersecurity posters, which includes six steps to avoid getting hooked by a phishing scam. Post them in your business, and share with employees to help them identify malicious emails.

 SDN Communications is a leader in providing business internet, private networking and cloud connectivity to businesses and organizations in communities such as Sioux Falls, Rapid City, Worthington, Minn., and the surrounding areas.

Want to stay in the know?

Get our free business news delivered to your inbox.

Old phishing threats are new again, so keep your guard up

Figures: COVID-19 means a greater chance your computer or network could end up with a virus too. Here’s how to stay ahead of the hackers.

News Tip

Have a business news item to share with us?

Scroll to top