July 17, 2020 by Adam Malik
Cybercriminals are showing much better success with phishing and social engineering attacks while everyone is working from home during the COVID-19 pandemic, says a recent report.
In fact, in a highly-publicized incident just days ago, Twitter confirmed it was the subject of a social engineering attack that targeted employees who had access to internal systems and tools. Some of the wealthiest people in the world saw their Twitter accounts hacked, in which tweets were sent to followers to send money to a bitcoin address under the guise of philanthropy. The equivalent of more than US$110,000 was sent by unwitting users.
According to Beazley Breach Response Service’s latest quarterly findings, the first quarter of 2020 saw a 25% spike in ransomware attacks compared to the final quarter of 2019.
“Phishing is the most widely used for criminals to get into systems and perpetrate wire frauds or ransomware attacks and I think criminals just have learned that it works,” said Katherine Keefe, Philadelphia-based head of Beazley Breach Response.
These days, employees working remotely are becoming more and more susceptible to phishing attacks — a fraudulent attempt to get the email recipient to turn over sensitive information like usernames, passwords and credit card info, by disguising the message as being a trustworthy and legitimate email. The sophistication of the communication tends to trip people up, Keefe explained.
“Gone are the days of the Nigerian prince with his bad spelling and grammar demanding $10,000,” she told Canadian Underwriter. “These days, you can receive an email that looks like it’s coming from your CEO or CFO directing you to do something and employees are falling for these ruses.”
People working from home has also had an impact. The same controls aren’t available, more emails are being sent, and the attention to such threats isn’t there. “What is clear in Q2 is that cybercriminals have seized on the opportunities presented by the pandemic and we are likely to see more employees falling victim as attacks accelerate,” Beazley’s report said.
Indeed, the success has been so great for criminals that Intact has seen an increase in claims come through thanks to the movement to work from home.
“The controls that companies have put in with respect to setting up working from home may not be as robust as some of the controls they might have in their offices,” says Intact’s Rob Boyle, the company’s vice president of specialty solutions – errors and omissions and directors and officers in Canada, and entertainment in North America. He spoke to Canadian Underwriter as part of the print magazine’s upcoming spotlight on specialty markets in August.
“As companies in the second quarter were ramping up [and] getting everybody set up to work from home, I don’t think the first priority was necessarily protections around that.”
In May, Twitter encouraged employees who can and want to work from home that they would be allowed to so do for as long as they want. On July 15, the company was hit with the attack.
Why are employees falling for these scams?
Lack of training is a big reason, Keefe said. But even though many companies are upping their training and sending out constant reminders, it just takes that one person, perhaps at the end of the day, to click on an attachment or hand over a password or other security information thinking the request is legitimate.
“It’s training, coupled with the fact that phishing emails have come more legitimate-looking,” she said. “Sometimes it’s very difficult to ascertain that they’re coming from a domain that’s not correct.”
And it works for the hackers. “Criminals are using this more and more because they see that it works and it’s a gateway into the system,” Keefe said. “And with the popularity of ransomware and the success the criminals are having [by] extorting money from companies whose data they lock up, the more phishing you see.”
Feature image by iStock.com/selimaksan