What Do I Need to Teach My Employees About Coronavirus Phishing Scams?

Employee cybersecurity awareness remains one of the vital layers in an overall IT security plan for a business. We always recommend ongoing training rather than a "one and done" approach, because the threat landscape is always evolving. Phishing is still the main delivery method for malware and credential theft attacks, but the method and sophistication of the attacks change from year to year and event to event. For example, the coronavirus pandemic has not only changed the way we live and work in Rhode Island (and the rest of the country), it has also brought on a whole new onslaught of phishing attacks. These attacks take advantage of the fact that many employees are working from home remotely and connecting from less secure networks. They also play on the fears associated with the outbreak. In 2019, nearly 90% of organizations around the world experienced targeted phishing attacks. The phishing landscape has changed dramatically with the COVID-19 crisis. To ensure your employees don’t put their devices or your data at risk, they should be updated on what to watch out for and reminded how to avoid falling victim to a phishing email.

COVID-19 Phishing Awareness Training Topics

With company networks spread out due to telecommuting, businesses are more at risk of attacks and facing a costly data breach. That makes connecting with your employees and keeping them "cyber aware" even more important. Here are topics you should cover with them related to the new attacks around the coronavirus pandemic.

Phishing Has Increased Dramatically

Employees need to know to expect more phishing scams coming into their inboxes and to be on the lookout for them. In just three weeks during March 2020, phishing attacks increased 667%, and there is no sign of them slowing down.

They are a Prime Target

With millions of employees working remotely from home, hackers know that means easier access to sensitive business data. This makes telecommuters a prime phishing target. Factors for this include:

  • Home networks are typically less secure than business networks
  • Employees may be cut off from the normal IT support they get
  • The need for information about COVID-19 is high, along with fear
  • Employees will be using remote connections to on-premises devices, which are a potential entry point for hackers

Links are Used Much More Than File Attachments

Phishing scammers now largely use links to malicious websites instead of a malware laden file attachment (although those are also still used) to get past antivirus defenses. Some people mistakenly think that just clicking a link will be safe, but those links go to sites that often do "drive by" downloads of malware as soon as the page loads. Others will go to a spoofed login page that looks legitimate and is designed to steal user credentials. Employees need to know that links are just as dangerous.

What Types of Scams to Watch Out For

There are new scams related to the pandemic popping up daily. All of them designed to fool the recipient in different ways. Here are some of the common themes that employees need to be aware of:

  • The "HR department" sending a link to a "new policy" on infectious diseases with instructions to read it by a certain date.
  • A new IT company purporting to be working with the employee’s company during the crisis and warning that the user’s email will be deactivated if they don’t click a link to respond.
  • Spoofed messages pretending to be from the CDC or World Health Organization with a link to "important information about the outbreak in your area."
  • Malicious apps or websites that offer a coronavirus map, that’s actually just a way to plant malware.
  • Emails related to fake offers of personal protective equipment (PPE), coronavirus cures or fake prevention products.
  • Scams related to the coronavirus stimulus with links to give your personal information to get your relief check.

Refresher on How to Avoid Becoming a Phishing Victim

Repetition is key when it comes to any type of meaningful training and the same is true when it comes to cybersecurity awareness. Remind employees of key tactics they should take to avoid falling for a phishing email:

  • Hover over links to reveal the true URL
  • Be suspicious of any unexpected email
  • Don’t download file attachments or click links in emails from unknown recipients
  • Double check with colleagues by phone or text if you receive a strange email from their address
  • Don’t fall for the common tactics of urgency and fear that phishing scams use
  • Get a second opinion from an IT pro on any questionable emails
  • Use good cybersecurity best practices (antivirus app, web protection, patch updates, etc.)

What to Do If They Get a Phishing Email

Employees should know what to do if they receive a questionable email. Let them know where they should forward the email to and when it is okay to delete it from their inbox and deleted items folder. This not only helps your organization keep track of attacks and let other employees know about them, it also gives the user comfort that they know the correct action to take.

How Secure is Your Remote Workforce?

Phishing is one of the many threats that business and home networks face. Ensure your cybersecurity plan includes your remote workforce by working with Onsite Techs of Rhode Island on a holistic strategy. Contact us today to set up an IT security consultation at 401-415-6290 or reach out online.

0