The COVID-19 pandemic has upended nearly every phase of life. Businesses were forced to scramble to create optimal teleworking environments, and cybercriminals immediately got to work, hacking into Zoom meetings and inundating employees with phishing, spear phishing, malware, and spam.
To make matters worse, work life has collided with family life in ways that make focusing on work extremely difficult. For workers with children who are also at home during the quarantine, it can make focusing on work feel impossible. This creates the optimal conditions for social engineering. Distracted users are less likely to critically inspect emails for the signs of an email threat and more likely to react quickly to emails with news or updates about the pandemic.
Additionally, with the walls of the office essentially torn down, the comforts of home can lull employees into a false sense of security. And with IT staff no longer in the building, this could lead to poor cyber hygiene and a general indifference to cybersecurity.
Social engineering techniques
Social engineering involves using psychological manipulation to prime a victim for a cyberattack, particularly an email attack like spear phishing or phishing. It requires no particular technical skills and no tools or software. All a hacker needs is to be skilled at lying and manipulation—characteristics hackers possess in abundance.
Most email attacks require victims to participate, typically by completing a requested action, such as divulging information on a phishing form, downloading a malware-laden file, transferring money, or making a purchase. To get a victim to participate, a hacker must pique the victim’s interest. They socially engineer victims in a variety of ways:
Phishing emails, particularly subject lines, often include words and phrases intended to spark fear or concern, such as “Security Alert,” “Compromised Account,” and “Unauthorized Sign-In." In spear phishing attacks, hackers place victims under duress, creating pressure to act quickly and fear consequences—typically professional—for not completing the requested action.
In the context of COVID-19, cybercriminals don’t have to reach far to incite fear in victims. From spam emails promoting face masks, which are in short supply globally, to phishing emails impersonating the World Health Organization, COVID-19 related email threats are designed to exploit our fears and lure us in with the promise of hope.
Spear phishing emails often begin with a series of friendly exchanges to prime the victim. A pretext email could be as brief as a friendly “hello,” followed by a request, or it could be an email requesting the victim to confirm their ability to complete a requested action, such as a wire transfer.
Teleworking has removed face-to-face interactions at work, forcing people to get creative about getting in touch with colleagues and normalizing informal communications over text, chat, and email. This new normal opens the door pretexting in ways that might have sounded alarms before COVID-19. For example, a request to transfer a large sum of money is typically a face-to-face request rather than an email, but because face-to-face isn’t possible, an email might not seem suspicious. Additionally, the target employee can’t verify the request in person and will have to pick up the phone to confirm the request. Will they? Many don’t.
The hallmark of all phishing and spear phishing emails, impersonation creates an aura of familiarity and trust. A victim is more likely to click on an email from a trusted brand and to respond to an email from a known contact than an unknown contact.
Health organizations and government agencies have been a constant source of information for consumers, opening the door for impersonation on a global scale. Consumers trust these organizations to provide up-to-date statistics about COVID-19 infection rates and local ordinances. Any email impersonating one of these organizations is likely to incite the emotional response hackers are looking for. Additionally, as businesses adopt more cloud apps to support teleworking, they’ll be more susceptible to phishing emails impersonating top providers, such as Adobe, Google, Microsoft, DocuSign, and Dropbox.
Social media accounts provide all the fodder a cybercriminal needs to launch a personalized attack. Hackers stalk victims on social media platforms like LinkedIn and Twitter to harvest personal information and then use their familiarity with the victim to launch their attack.
With citizens across the world on lockdown, they’re turning to social media in massive numbers. Not only are they reading content, but they’re sharing updates about their personal experiences during the quarantine, including their job and health statuses, financial troubles, and family issues. This personal data can be used to create a social profile of a victim, a sort of checklist of ways to exploit them.
By using the above techniques, hackers can manipulate their victims into completing any number of actions. Social engineering therefore takes the work out of hacking and puts the onus on the victim to finalize the attack.
Protecting your business
As the majority of the global business economy has shifted to teleworking due to COVID-19, the structure of the work environment has changed drastically—even disappeared in some respects. Combined with the psychological toll of watching the staggering collapse of public health, social norms, and the global economy, workers are distracted, on edge, and vulnerable to cyberattacks. For cybercriminals who are watching closely, social engineering is the perfect weapon.
Despite being physically separated from your employees, you can still protect your business from social engineering and other email threats from a distance. Here are a few general rules to follow:
- Never log in to an account from email.
- Confirm all financial requests by telephone.
- Never open an attachment from an unknown contact.
- Preview all PDFs and attachments before opening.
- Don’t open links in direct messages on social media.
- Encourage employees to report all threats to IT (even if they’re not sure).
Finally you should maintain your security awareness training and provide your employees with materials they can keep as reminders on their desktops. Below are just a few infographics and resources you can share with your staff.