More than ever before, our ability to remain productive hinges on remote communication and collaboration. But you can’t necessarily trust that the voice on the other end of the line is actually your coworker. Voice phishing, or “vishing,” attacks have skyrocketed during the pandemic, according to a joint report from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).
In particular, the report cited a rash of attacks that target employees working from home via VPN. The attacker impersonates one of the company’s IT pros to trick the employee into approving a two-factor authentication (2FA) notification, giving the attacker access to the employee’s VPN account. The attacker can then use that access to mine customer and employee data, or perform any number of other malicious actions.
This is only the latest in a surge of social engineering attacks that take advantage of the unique circumstances of the pandemic. For example, the past few months have seen a surge of phishing emails that appear to originate from government or international health organizations, such as the Centers for Disease Control (CDC) and World Health Organization (WHO).
However, these pandemic-related attacks are part of a much broader trend. As bot detection tools have improved, attackers are moving away from basic, velocity-driven, brute-force credential-stuffing attacks toward more varied fraud tactics, including vishing and phishing. Attackers can use these attacks to compromise employee accounts and gain access to sensitive or proprietary information within a company’s systems. To thrive in a remote work environment without falling victim to cybercrime, companies need better tactics to defend against sophisticated attacks that impersonate their employees, and that often start with social engineering.
Why COVID-19 is Fertile Ground for Fraud
While most organizations have adapted quickly to full-time remote work, the sudden transition has also left many companies vulnerable due to multiple factors. Together, these factors create an ideal environment for sophisticated vishing and phishing attacks.
- Lack of security infrastructure: In the past six months, companies may not have had time, budget or expertise to implement tech infrastructure, such as a VPN, that would keep sensitive employee and customer data secure, while enabling remote connection to the company’s private network. Companies may have quickly adopted new third-party software solutions to facilitate remote work without taking time to fully vet those vendors’ security and privacy protocols.
- Lack of clear policies and employee training: Organizations new to remote work may lack fully developed policies around cybersecurity and bring your own device (BYOD) best practices when working from home. Further, some companies may have been unable to adequately train all employees in these policies, even if they have them. This makes it much more likely that employees will engage in risky behavior, such as using company-issued devices to access non-work-related online services.
- Ongoing change to company operations: The transition to remote work has upended many employees’ expectations for “normal activity” during the workday. Procedures and best practices are unclear, and many employees are still learning their way around new remote collaboration solutions. In this environment of ongoing change and disruption, it may be harder for employees to spot odd behavior, like a call from an IT employee they’ve never heard of who is asking for their 2FA code out of the blue.
- Confusion over the pandemic itself: Almost a year into the pandemic, it’s still not always clear what’s going on and which sources to trust. This leaves many people vulnerable to fraud and manipulation. For example, U.S. consumers have lost $124m to COVID-19-related scams in 2020.
The High Costs of Pandemic Cybercrime
When bad actors steal employee credentials through social engineering, they can exploit their success in multiple ways. Many cybercriminals sell stolen credentials on the black market to make a quick monetary gain. A criminal with access to an employee account may also be able to steal sensitive data, such as customer payment information, which they can then sell to others or use to make fraudulent transactions themselves. The cost of fraud to U.S. retailers is up 7% since 2019, according to a DigitalCommerce360 report.
In some cases, attackers parlay stolen employee credentials into bigger, more damaging exploits. For example, the masterminds of July’s headline-making Twitter hack used fraudulently obtained employee access to interact with powerful, internal administrative tools that allowed them to take over more than 100 user accounts, including those of several celebrities and high-profile politicians.
The average cost of a data breach in the U.S. in 2020 is $3.86 million. However, damage from these attacks is not only monetary, but also reputational. Companies that suffer major breaches may struggle to win back customers’ trust, which can create a ripple effect for years to come. To avoid these outcomes, you may need to upgrade your cybersecurity defenses to address the heightened threat of COVID-related social engineering attacks.
Multi-Layered Defenses Reduce Risk
There’s no single solution for ending COVID-related cybercrime. Instead, combatting today’s sophisticated attacks requires a multi-layered approach.
Social engineering attacks like vishing and phishing succeed because many organizations only authenticate users based on their credentials. Once the bad actor has an employee’s username, password and their one-time code for 2FA, they have full access to the system — and there’s little that can be done to stop them. That’s the folly of relying too heavily on static credentials alone.
To avoid falling prey to social engineering schemes — and to avoid damage when employees do fall for those schemes — organizations need to layer multiple solutions that will secure systems in different ways. Together, those solutions should prevent bad actors from gaining access to systems through social engineering to begin with, identify bad actors by their behavior if they do gain access and prevent bad actors from using stolen data for fraudulent purposes.
Defenses Against COVID-Related Cybercrime
While there’s no way to reduce the risk of cybercrime to zero, combining several security precautions will make your company’s systems much more resilient against attack. Here are measures you can take to strengthen your cyber defenses during the pandemic.
- Strong authentication protections: While hackers can still use social engineering to get around some of these protections, strong authentication makes gaining access significantly more difficult. At this point, strong multi-factor authentication protections on employee accounts are table stakes — you don’t want to be the only target without them.
- Real-time anomaly detection: This capability automatically flags any account that engages in high-risk activity such as downloading large amounts of customer data. The system can then automatically lock that user out of the account or implement additional security measures. If a bad actor does gain access to your systems, anomaly detection can prevent them from exploiting that access to compromise additional employee or customer data.
- Passive biometrics and behavioral analytics: Passive biometrics and behavioral analytics let you continuously validate users’ identities after they’ve logged in, helping you spot bad actors and unauthorized users even if they have legitimate credentials.Passive biometrics looks at inherent behavior, such as how a user holds their device, whereas behavioral analytics looks at behavior patterns, like where or when a user usually logs on during the day. This can help flag anomalies such as a user trying to change their password from a location thousands of miles away from their normal residence after several failed login attempts.Each user’s “signature” based on these qualities is unique to them and very difficult to imitate. If the person using a certain set of credentials doesn’t match the usual signature associated with them, they can be locked out of the account or asked for additional identity verification. This will secure both employee and customer accounts, whether the user has given up their credentials due to social engineering or had those credentials stolen in a data breach.
- Employee education: Most data breaches have their roots in human error, which means the biggest weak spot for a company’s cybersecurity is its workers. To help your employees protect themselves from cybercrime, educate them. Train everyone on your team to know what malware is and how to spot a phishing or vishing attack.
Good habits are important, too. For example, employees should get in the habit of checking with the person who supposedly sent a suspicious email to make sure it was really them. Employees should also understand the importance of using complex passwords and update those passwords frequently.
Just telling people what to do isn’t enough — for best results, organize in-depth training opportunities that discuss the rationale for these precautions. You may also want to test employees periodically by having your IT team send out fake phishing emails. Employees who fail the test by clicking on a suspicious link can then be required to complete additional training. Whatever specific tactics you use, by demonstrating that security is a top priority, you’ll set a precedent for all levels of employees.
In the physical world, multiple security measures are the norm. Your front door, for instance, probably has both a good, hard-to-pick lock, a deadbolt and strong hinges that make it hard to kick in. Modern cybersecurity operates on a similar principle — and there’s never been a more important time to have all your bases covered. With multiple security approaches working in tandem, your company will be better protected from the surge in COVID-19-related cybercrime.