Far from frightening hackers, the Covid-19 is rather inspiring. Creating fake sales sites or fraudulent emails, hackers are increasing their attacks. Since the start of the pandemic, France has recorded a 30,000% increase in cyberattacks, or around 400,000 cyberattacks since the beginning of April.
Among the techniques used, phishing has, in this period of health crisis, the wind in its sails because it plays on the fears of individuals. And what could be easier than activating this lever when you are faced with a new and anxiety-provoking situation. The scale of the phenomenon is such that the World Health Organization (WHO) recently warned Internet users about the existence of these fraudulent emails based on Internet users’ anxieties to access their personal data.
Proven for five or six years, these techniques of phishing, do not date from yesterday, and although known to Internet users, many continue to be trapped. How then to identify a threat? What are the most common cases?
Covid-19: preferred factor for attacks
Today there are two types of hacking: one originating from internal communications, the other from external communications. As a result of the pandemic, internal communications between company management and employees have been increased in order to send a certain number of recommendations related to Covid-19. Having no reason to be wary of a message from their company, confident employees open emails, click on links and / or open attached documents. In this type of attack, hackers are betting on the urgency of the situation and the need for the employee to take note of information. During this particular period, many seasoned employees who were aware of phishing techniques got caught up in it.
In terms of external communications, scammers use e-mails concerning online tax declarations, the increase in card limits for restaurant tickets and digital certificates that change regularly. They also fall back on communications from public organizations such as WHO, NGOs, or solidarity movements for nursing staff (kitty, calls for donations, etc.) to retrieve data from users. The emails taking advantage of the current economic situation should redouble in the coming weeks!
A reminder of the phishing rules – still necessary
We can never remember it enough but hackers exploit the flaws of our daily lives, where we can lower our guard. Some key tips that are known, but worth remembering. First reflex: check the source of the email and unidentified attachments or unknown senders. Then, it is important to take the time to read the email in order to identify errors. Hackers don’t waste time proofreading to check spelling or syntax errors. Finally, we must analyze the tone of the email to identify the injunctions. Fraudulent e-mails tend to use directive vocabulary, in the form of “obligations”.
To make employees aware of these good practices, employers should not hesitate to recall the phishing safety instructions, or even make fraudulent e-mails themselves to test their teams.
Password management: a headache for companies and employees
There are many password managers all performing and offering the same guarantees. But is it up to the company or the employee to have a password manager? If in a professional life, we all have more or less frequent to change companies, we very often keep our passwords, which, generally, are easy to find for hackers. Indeed, we are too often tempted to use passwords that characterize us as the date of birth or the name of the pet.
To avoid these inconveniences, companies therefore have every interest in offering their employees a password manager for storing company and personal data. So that the employee can keep his manager if he leaves the company, the latter can revoke his professional accesses via an SSO system – active directory – associated with the password manager. By deleting the employee from the company’s active directory, the latter loses access to the latter’s data and keeps only their personal passwords and access. Simple and effective for maximum security.
In the same way, be careful not to divulge your passwords – even with your family – trust is one thing, securing third parties is another. Each person has their own level of security on their devices. You can therefore be completely secure, but not the third party to whom you decide to entrust your password. It can start with his Netflix password – which during containment was the most shared password – which then opens a door for the hacker to sneak into your session.
For a few years now, dual factor authentication has appeared and despite its increasingly frequent implementation, few users use it. However, this is an additional security element which makes the work of hackers much more complex. This technology is not foolproof, but it will cause most of the attackers to choose another target.
In conclusion, phishing is the easiest technique to set up for amateur hackers! But it’s also easy to spot when you pay attention. We cannot repeat it enough, it is the attention that makes all the difference in terms of safety and the constant awareness of each and everyone.
By Lionel Doumeng, cybersecurity expert at F-Secure