BSI warns SMEs of increase in COVID-19 induced phishing campaigns

  “Give a man an 0day and he’ll have access for a day. Teach a man to phish and he’ll have access for life” – the grugq[1].

The above maxim, from one of the world’s leading cybersecurity thought leaders has never been truer. The current COVID-19 pandemic has confirmed the long-held belief that phishing is by far the favourite means for cyber attackers to infiltrate small and medium-enterprises (SMEs). “0-days”, which are newly discovered software vulnerabilities are worthless once discovered and remediated, while, on the other hand, phishing can be used again and again by hackers to gain access to your networks.

It is well known that 91% of attacks launch with a phishing email[2], but recent data suggests that bad actors (the term used by IT professionals for faceless people who steal victims’ sensitive information) are ramping up their efforts during the pandemic, with Google reporting that 18 million Covid-19 themed phishing mails are sent to Gmail users every day[3].

Phishing is a fraudulent practice widely used by criminals claiming to be from reputable companies in order to trick individuals into revealing sensitive information or clicking on a malicious link in an email. It is one of the largest causes of cybercrime and all users – both in work and at home – need to be extra vigilant at this time.

These days, there is a good chance that a malicious link directed towards a business will contain a payload (the part of an attack that executes malicious activity) that enables an individual to initiate a ransomware attack. This attempts to encrypt an organization’s files and demands a ransom payment before allowing access.

Ransomware demands are not modest with the average payment for the infamous REvil ransomware infection costing $260,000 per infected company[4]. SMEs are viewed as soft targets by cyber attackers due to a shortage of dedicated IT staff and a lack of effective security controls, such as reliable backups. These attacks show no sign of a slowing down with inexpensive phishing kits becoming the top selling product on major dark websites
[5].

The pandemic that has fuelled these attacks has also led to many of the global workforce switching to remote working. Other than employers and employees remaining vigilant and being aware of the increased risks, what else can SMEs do to protect themselves? The below top tips from BSI’s Cybersecurity and Information Resilience team covers the key elements that should be considered to ensure an organizations’ data is secured as employees work remotely.

1. Phishing – Think before you click

• • If it sounds too good to be true, it usually is. Well-crafted phishing emails are designed to contain certain psychological triggers that encourage you to click
  • Be on the lookout for phishing themes – cyber attackers love launching phishing campaigns based on current events. For example, tax season, major sporting events and the COVID-19 pandemic all saw huge increases in phishing traffic
  • Email tone – phishing emails are designed to play on your emotions. Greed, urgency, curiosity and fear are all major motivators embedded in an effective phishing email
  • Do not click on links, or open files attached to suspicious unsolicited emails. Always verify with the sender via phone
  • Be particularly aware when files or email links direct you to websites requesting username and passwords, as these are often fraudulent and look extremely realistic
  • Does the email contain generic greetings?
  • Does the sender address match the name of the inferred reputable company?
  • Be aware that criminals use shortened URLs rather than using the exact URL – this makes the phishing URL less obvious. – Roll the mouse over the link in the email to see the underlying URL
  • Phishing awareness – run regular phishing simulation campaigns for your employees
  • Configure your mailbox so external emails are tagged with an “External Email” warning
  • In the case of BEC (Business Email Compromise) attacks, it is important to verify requests for payments and updates to payment information
  • If you do see any email that looks to be from an untrustworthy source, report it to your IT department and follow their advice. If you happen to click a link or download one, contact your IT department immediately as it will have protocols in place to remediate or solve the issue. 

2. Business information –
   what should I do if I have confidential business information?

Always keep it secure and have it in your possession and never out of eyesight. If you are taking a break or leaving the documentation, stow it in a safe environment. Remember, business information will need to remain confidential even if stored in your home.

3. Using home Wi-Fi – I’ve
   never connected my work laptop or device to my home Wi-Fi?

If you have been asked to connect to your home Internet, make sure that your Wi-Fi connection is secure, and password enabled so you can control who connects to it. If you have any doubts, contact your IT team and they can assist you. For public and unsecured Wi-Fi, the best advice is either to avoid connecting with them and tether using your phone or use a VPN to secure the connection.

4. Use your VPN – what is a
   VPN and how do I connect to it?

A VPN is a Virtual Private Network that most businesses use to allow you to create a secure connection to their network over the Internet. Most companies have a policy on VPN usage and how to connect to it – usually a password enabled or token system. Ask your IT department for more information.

5. Mobile phone and device
   security – is my mobile phone safe?

Maybe not. Are you seeing an increase in incoming calls from numbers that you do not recognize or calls from “unknown numbers”? It is best not to answer the unknown numbers and use caution when answering unrecognized numbers.

6. Backups – what is a
   back-up and what do I need to do?

A backup, or data backup, is a copy of data that is taken to be used in case the original is lost or damaged. It can be used to restore the original data after an event or preparing for a potential data leak event. Talk to your IT department about what data you need to backup, how to back it up and what equipment you need to do it.

7. Conference calling and
   internal communication – what are they and why use them?

Your business / company may be able to provide you / employees with calling capabilities through a different application than the one you use in your normal work environment. Check in with teammates using your company conferencing equipment like WebEx, Microsoft Teams and Zoom. Ensure all employees are up to date with company policies and internal communications. For client engagement, also ensure that your clients either have this equipment or can download and access it in line with their own company policies.

8. Working patterns – how
   can I maintain my normal working habits?

Keep your good working habits. For those who are not accustomed to working from home, the prospect can be difficult to adapt to, particularly for extended periods of time. Apply as many of your normal office routines as possible such as waking up time, start and finish times, coffee breaks, lunch breaks, meetings and client interactions, even when conducted remotely. The more in sequence with normal office practices you are, the easier the remote working process becomes.

9. Working environment –
   what is the best working environment for me?

Where you can, establish a comfortable working environment. Ergonomics are as important at home as they are in the office. Think about the equipment, data and information you will now have in the home and how you need to protect it from unintended sight or use. Also consider your company policies around the disposal of data and information.

Stephen Bowes, Global Practice Director, Information and Security Technologies, BSI Consulting Services, said: “There are multiple benefits to both organizations and their employees with a robust remote working model. Employee performance, recruitment, retention and job satisfaction increase whilst organizations’ costs decrease.

“Organizations need to plan for the inevitable and the unforeseen by implementing the requirements for a remote workforce. Bolster your physical and digital security protocols, information resilience and business continuity plans at this uncertain time, by preparing for the currently evolving and distributed workplace and meeting employee needs.”