5 Ways to Avoid Phishing Scams While Working from Home
The COVID-19 pandemic has upended the everyday lives of millions of people. With so many working from home to stay safe, “business as usual” looks very different than it did before the lockdown. While telecommuting poses a variety of challenges, the increased cybersecurity risk for businesses with employees working remotely is often overlooked. Most organizations were not prepared for the shift to telecommuting, and some have fallen victim to scammers who are taking advantage of the chaos. Social engineering attacks work best when employees let their guard down, and working in the comfort of their own home has caused even the most technology-savvy employees to make security mistakes.
Employees often assume that their company’s IT department has secured their digital work environment. This perceived safety often allows phishing threats to be successful and company data to be at risk. While maintaining a secure work environment can be a challenge even at the worksite, it is even more critical to stress the importance of cybersecurity while working from a home office.
Phishing attempts targeted at employees working from home are too-often successful for three main reasons:
- Lack of technical knowledge
- Lack of proper protocols and processes, or ones that cannot be enforced easily
- Lack of cybersecurity awareness training
We asked our partners at Global Learning System – a leader in cybersecurity awareness training – where they see the biggest weaknesses in home-office security and what steps employers and employees can take to avoid phishing attempts and cyberattacks. Here’s what they had to say:
Risk #1. COVID-19 the perfect environment for phishing attacks
Phishing is a cybercrime in which scammers lure individuals into providing sensitive information by posing a legitimate figure through email or phone. The COVID-19 pandemic has given scammers who run phishing attacks the perfect opportunity to control victims by using urgency and the fear of missing out. Common COVID-19 phishing attacks include calls to action such as, “Find out where the new cases are around you!” and “New vaccine available, get it now!”
Furthermore, with more people at home, there has been an increase in the amount of COVID-19 related phone scams targeting both landline and cell phones. Examples of these scams include perpetrators offering to disinfect your home, pretending to be a client who needs information or even posing as tech support from your company. Employers must train employees to be on heightened alert for these COVID-19-related emails and phone calls.
Be clear on how your organization will be communicating to employees about information related to the pandemic, so they can distinguish between real communications and phishing attempts. Give employees examples of phishing emails or calls so they can understand the pattern and know what to look for. Advise them to screen calls from unknown numbers. Make sure everyone knows to report phishing attempts to your security team or management, so everyone in the organization stays informed.
Risk #2. Increase in texting for work communication
With more daily conversations happening remotely, work-related texting has increased. Employees are now using texting as a means of communicating with colleagues and clients. SMS-based scams take advantage of this by asking users to click a link, taking them to a website for more information or to download a document. After users click the link, malware is installed on their phone and stored information is up for grabs.
To combat texting scams, companies can require the use of encrypted messaging apps that provide end-to-end encryption for work-related communication. Create specific protocols for using texting to communicate for work, such as never texting a password or any other sensitive information. Train employees to never click links or move files via text.
Risk #3. Increased use of social media on work devices
With employees stuck at home and many seeking social interactions, social media use has increased. Social media has always been a popular route for phishing attacks, and employees using work devices to access their personal social media accounts can put your data at risk. A harmless Facebook quiz can expose information that can be used to crack passwords. A fun Instagram photo of your home office space may expose information about your company through the screen in the background or papers on the desk.
To eliminate this risky behavior, it is best to not allow employees access to personal social media platforms on company-provided devices. Employees should always use a personal device without company information stored for personal social media. You can also use an endpoint management system to monitor employee device use.
Risk #4. Multitasking while working from home
Multitasking while working from home is inevitable. Walking away from work devices to tend to children or housework can result in unforeseen security risks. Your organization’s security protocols should include the proper steps to secure devices and data when an employee leaves the workspace, and the same rules hold true for a home office.
It is vital to train employees to lock their device screens anytime they leave the workspace. Following a “clean desk” policy and requiring lockable storage in home offices will also minimize security risks. Employees should also turn off or mute smart devices such as Amazon Alexa or Google Home to avoid inadvertently leaking company information.
Risk #5. Downloading non-approved applications on work devices
Giving employees administrator access on company-provided devices means they can download and install applications freely. In a work-from-home situation, employees may be tempted to download new software, browser plugins or extensions to make work easier. This can result in malware downloads and stolen data.
To keep company equipment and information secure, never give employees administrator access to devices. Instead, educate them on the process for requesting new software and provide a list of approved applications. Provide access to secured software-as-a-service (SaaS) options and prohibit linking work devices to external hardware, such as a printer or removable media.
Protect your data by lowering risk
The above list of possible security risks is, unfortunately, not exhaustive. With the increase in sophistication of phishing attacks and the COVID-19 environment, it is more important than ever to review the setup for remote employees and mitigate potential risks.
Providing all employees with comprehensive security awareness training that includes a remote workplace component will increase your “human firewall” and lower your risk of a data breach. This training is provided online and can help prevent common incidents that lead to threats like malware, phishing and ransomware.
Global Learning Systems is offering a variety of free resources to help organizations get up to speed on cybersecurity in this new age. It includes a free online course, blog posts and handouts for employees.