Email Governance

Guarding Against Work-From-Home Phishing Threats

By this stage, everyone is familiar with the phrase ‘social distancing’ and what it means with regards to shopping trips and exercise outdoors. Social distancing, as we all know by now, was introduced to slow down or, more hopefully, stop the spread of Coronavirus. Many companies are taking steps to enable as many people as possible to work from home.

Working from home is a sensible approach regardless of pandemic situations, and on several levels, but it does pose its own set of problems too. Cybersecurity is one such problem, as staff moves away from a secure office network to arguably much less secure environments at home and elsewhere. These less secure extended corporate networks present cybercriminals with an almost impossible-to-resist opportunity.

In response to the growing threat from cybercriminals, the **NCSC (National Cyber Security Centre) has warned that there are criminals’ intent on taking advantage of the pandemic to launch cyberattacks and hacking campaigns. Already they have seen numerous threats and scams that have been aimed at taking advantage of the spread of the virus for their own ends.

COVID-19 email phishing

Criminals have been using the words ‘COVID-19’ and ‘Coronavirus’ in email subject lines for their phishing scams for a few months now. Their goal is to dupe or scare recipients into clicking a malicious link, with the hopes of collecting login details, or opening attachments to facilitate the installation of malware.

With the above in mind, here are some basic practices that will help raise awareness within your organization and help keep data, systems, and personal accounts safe while working from home.

Watch that subject line

You should be wary of any email that refers to coronavirus in the subject line, whether it seems to be from a trusted, legitimate source or not. Just because an email looks to have been sent from a friend, a government agency, or even your own company, that does not mean that it has. Check the email content carefully (there are often spelling and grammar errors) and check the sender’s email by clicking/tapping on the sender’s name. If in doubt, contact them directly on an email address or phone number that you know to be correct, or search their website for a corresponding page or information sheet.

Do not just click a link without pause

You should not take a link at face value, question it. This is especially true if the email is ‘out of the blue’, and if it appears in a direct message on a social media platform, especially with no prior contact, then it is almost certainly a fake.

Be wary of emails that do not have your name in them

This is even more important if they are requesting information from you or they are asking you to click a link to confirm something. Many phishing emails simply start with “Dear customer”, and lots more don’t even put that much effort in and simply address you by your email address instead. Why? Because unless it’s an attack on you personally, they do not know your name and if they do not know your name then the chances of them being a company you have dealings with are zero.

Be suspicious of ‘password reset’ emails

Do not automatically trust an email that asks you to reset your passwords or usernames. Instead, use a browser and type in the relevant address that you know to be correct and do it from there if you need to – don’t click a link in the email if you are not 100% it is legitimate.

We all have so many different things on our minds, especially in the current climate, that is easy to fall prey to a convincing email phishing attempt. This handful of recommendations will help keep you and your organization’s data secure. For more sophisticated attacks, and to take care of things automatically so you are not left with uncertainties, Spambrella is here to take care of all your email security concerns.

References and sources:

** NCSC Email Phishing Warning

Closer Look at Email Fraud

Anti-Phishing Protection

What is typosquatting?