article banner

Coronavirus-related phishing emails

With most companies adopting some form of remote working setup in these turbulent times, there has been a sharp rise in attempted phishing scams targeting companies and individuals. Although regulators have done their part to swiftly advise individuals about these phishing scams – which may take the form of council tax rebate announcements, or bank payment fraud – the danger to businesses and their operations can be severe from this kind of cyberattack.


What is phishing?

Phishing scams can take a variety of forms. The most common is an email sent by fraudsters impersonating companies or people – often banks, credit card providers, or someone in your organisation. Even before the COVID-19 pandemic, phishing scams targeting even a single employee were known to seriously disrupt entire organisations.


How has the Coronavirus pandemic exacerbated phishing scams?

With more people working from home via unfamiliar and untested technologies, cyber criminals and hacking groups have been keen to exploit the disruption caused by the virus. For these malicious actors, this time of reorganisation and confusion makes for a golden opportunity to mount sweeping cyberattacks on individuals and organisations.

Examples so far include fraudsters impersonating the World Health Organization and the Centers for Disease Control and Prevention, advertising fake antiviral equipment, and attackers seeking cryptocurrency funding which they claim is for vaccine research. Vulnerable economic sectors, such as shipping and retail, have been frequently targeted in recent weeks.

Security analysts have suggested that the rush for organisations to set up remote working options for their employees may lead them to take shortcuts in their cybersecurity protocols. Remote working can even heighten risks in other ways, as company PCs may be vulnerable to cyberattack if they are now connected to home networks that lack sophisticated cybersecurity systems.


Lateral phishing attacks

A lateral phishing attack occurs when at least one compromised employee email account in an organisation is used to target other team members in the same organisation.

Lateral phishing attacks are often effective, as it can be easy for fraudsters to convince the target that their request is legitimate. Attempted attacks might involve sending emails – claiming to be from senior management – authorising financial transfers, requesting data exchange, or demanding financial information.


What do phishing emails look like?

Phishing scams are becoming ever more sophisticated and difficult to spot – and some organisations are struggling to adapt.

For your own personal and professional security, it is important to know how to spot a phishing email. Look out for the following common characteristics:

  • It asks for bank account or financial information. Most reputable financial providers never request details over email.
  • It contains grammatical errors and spelling mistakes.
  • It starts with generic greetings.
  • It encourages an immediate action.
  • It is simply too good to be true, or uses threatening content.
  • You do not recognise the sender.

How to protect your organisation

It is essential to take proactive measures to avoid phishing scams. With the introduction of the Personal Data Protection Act (PDPA) year, the legal and financial consequences of data leaks can be substantial, even before you begin to consider reputational damage.

The best ways to protect your organisation are:

  • Mandatory cyber security awareness training for all employees.
  • Keeping your organisation’s security software up to date.
  • Clear processes for what to do when receiving a suspicious email. This should include informing your IT department in person that you will be forwarding them a suspicious email. Once you have forwarded the email, delete the original one.
  • Remaining sceptical of any email, website or social media channel that appears to be suspicious.
  • If you get a questionable email purporting to be someone in your organisation, call them on their authorised number to confirm that they have sent the email.

Moving forward

Whenever organisations and individuals become more innovative in where and how we do our work, an increase in cyber security threats is likely to follow.

Take the time to implement or increase cybersecurity awareness training for your employees and external teams. While this procedure can be an expensive and time-consuming to implement, the costs of failing to act can be enormous.

While it is important to promote social distancing and curtail the spread of the virus, remember to also keep your organisation safe from cybercriminals looking to exploit the Coronavirus pandemic.