‘The phishing emails are getting more and more targeted’: expert
With many employees working from home during the pandemic, cybersecurity is a major issue. And phishing attempts are one of the top issues that are popping up and giving IT managers headaches, according to Mark Gaudet, product manager at Canadian Internet Registration Authority (CIRA) in Ottawa.
But there are a number of ways to fight back and provide basic protections, he says, in talking to Canadian HR Reporter.
How can employees make their home setup secure?
“Change the settings and make sure your home WiFi, your home routers, are secure by using good passwords and using a password tool so you can effectively have different passwords across different applications. Use a corporate VPN whenever possible and, from a company perspective, provide education so people can recognize phishing emails and be part of the security solution and report them.
“Most people are reusing passwords across multiple applications, email, social media so the danger there is if someone steals credentials from one application you’re using, the first thing they go for is your email. And once they get your email, they can reset passwords for every application you use.”
What is the number one thing employers should do?
“The first step would be education. [It’s about workers] being able to recognize phishing emails and fake emails, being able to identify those and not click on them. A big thing is recognizing phishing emails and not being tricked into giving up your credentials, and using things like, if you do give up your credentials then, having strong passwords, different passwords across applications, leveraging two-factor authentication; these are simple things you can do to have high value.
“[It’s about] education around the risks around phishing, reusing passwords, storing business material at home. People are using personal laptops, in some cases, to access corporate resources, [so] what they share on those laptops.”
What are some of the biggest threats?
“Primarily phishing attacks and spear phishing. The phishing emails are getting more and more targeted. That’s another aspect that we recommend is being careful with your personal information and confidential information you share on the internet that can be leveraged to target you for phishing or spear phishing which… is just much more targeted.
“[As a hacker], I could know that you are involved in a particular activity or a particular club and pretend I’m associated with that to send you an email. I can find things out on social media and know that you just bought something, or it was your birthday. They leverage information that you make available online to target you, to try to trick you into giving up credentials [such as] sending money. Or [they] know you have kids and tell you that one of your children is in jail and you need to send money or they can’t get out.
“There are specific phishing campaigns that are leveraging COVID as well. COVID creates an opportunity in different angles to leverage. People are at home and phishing campaigns tend to leverage emotions: COVID would be one of fear. People are trying to sell fake at-home tests: ‘Here’s a five-minute test you can do at home that’ll tell you if have the antibodies, for $10.99’ or something to that effect. They’re opportunistic and look for every opportunity and a COVID angle is one of them.”
Are some industries more vulnerable than others?
“If you take health care, for example, where the majority of health-care workers right now are working remotely, that’s not an environment where they’ve been set up that way. They’re starting to deliver services online over video and it’s a big adjustment to protecting privacy. It’s a much different environment.”