Protecting Your Teleworking Staff

These tips are given in association with the U.S. Department of Homeland Security to help individuals remain vigilant for scams related to Coronavirus. Cyber Criminals are sending emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or to donate to a fraudulent charity. Exercise caution in dealing with an email with a COVID-19 related subject line, attachment or hyperlink, and be wary of social media, pleas, texts, or calls related to COVID-19. Cyber awareness should always be practiced, regardless of the situation.

In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send an email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts. Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as

  • Natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
  • Epidemics and health scares (e.g., H1N1, COVID-19)
  • Economic concerns (e.g., IRS scams)
  • Major political elections
  • Holidays
  • Suspicious Sender Address

    • The sender's address may imitate a legitimate business. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters.
  • Generic Greetings / Signatures

    • Generic greetings, such as "Dear Valued Customer", and a lack of contact information in the signature block are red flags. A trusted organization will normally address you by name and provide their contact information.
  • Spoofed Hyperlinks or Sites

    • If you hover over links in the body of the email, and the links do not match the text, the link may be spoofed. Cybercriminals shorten URLs to hide their true destinations or use variations in spelling and domain.
  • Spelling and Layout

    • Poor grammar and sentence structure, misspellings, and inconsistent formatting are other indicators of a possible phishing attempt. Reputable institutions have dedicated personnel that produce, verify, and proofread customer correspondence.
  • Suspicious Attachments

    • An unsolicited email requesting a user to download and open an attachment is a common delivery mechanism for malware. A cybercriminal may use a false sense of urgency to persuade users to download or open an attachment without examining it first. 

Vishing is the social engineering approach that leverages voice communication. This technique can be combined with other forms of social engineering that entice a victim to call a certain number and divulge sensitive information. Advanced vishing attacks can take place completely over voice communications by exploiting Voice of Internet Protocol (VoIP) solutions and broadcasting services. VoIP easy allows caller identity (ID) to be spoofed, which can take advantage of the public's misplaced trust in the security of phone services, especially landline services. Landline communication cannot be intercepted without physical access to the line; however, this trait is not beneficial when communicating directly with a malicious actor. 

Smishing is a form of social engineering that exploits SMS, or text, messages. Text messages can contain links to such things as webpages, email addresses, or phone numbers that automatically open a browser window, email message, or dial a number. This integration of email, voice, text message, and web browser functionality increases the likelihood that users will fall victim to engineered malicious activity.

Some characteristics that make email attachments convenient and popular also make them a common tool for attackers:

  • Email Is Easily Circulated

    • Forwarding email is so simple that viruses can quickly infect many machines. Most viruses do not even require users to forward the email - they scan a users' mailbox for email addresses and automatically send the infected message to all of the addresses they find. Attackers take advantage of the reality that most users will automatically trust and open a message that comes from someone they know.
  • Email Programs Try to Address All Users’ Needs

    • Almost any type of file can be attached to an email message, so attackers have more freedom with the types of viruses they can send.
  • Email Programs Offer Many “User-Friendly” Features

    • Some email programs have the option to automatically download email attachments, which immediately exposes your computer to viruses within the attachments.

Follow these six steps to help keep yourself protected:

  • Be Wary of Unsolicited Attachments, Even from People You Know

    • Just because an email message looks like it came from someone you know does not mean that it did. Many viruses can "spoof" the return address, making it look like the message came from someone else. If you can, check with the person who supposedly sent the message to make sure it's legitimate before opening any attachments. This includes email messages that appear to be from your internet service provider (ISP) or software vendor and claim to include patches or antivirus software. ISPs and software vendors do not send patches or software in email.
  • Keep Software Up to Date

    • Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it. If this option is available, you should enable it.
  • Trust Your Instincts

    • If an email or email attachment seems suspicious, don't open it, even if your antivirus software indicates that the message is clean. Attackers are constantly releasing new viruses, and the antivirus software might not have the signature. At the very least, contact the person who supposedly sent the message to make sure it's legitimate before you open the attachment. However, especially in the case of forwards, even messages sent by a legitimate sender might contain a virus. If something about the email or the attachment makes you uncomfortable, there may be a good reason. Don't let your curiosity put your computer at risk.
  • Save and Scan Any Attachments Before Opening Them

    • If you have to open an attachment before you can verify the source, take the following steps:
      • Ensure the signatures in your antivirus are up to date.

      • Save the file to your computer or a disk.

      • Manually scan the file using your antivirus software.

      • If the file is clean and doesn't seem suspicious, go ahead and open it.

  • Turn Off the Option to Automatically Download Attachments

    • To simplify the process of reading email, many email programs offer the feature to automatically download attachments. Check your settings to see if your software offers the option, and make sure to disable it.
  • Consider Creating Separate Accounts on Your Computer

    • Most operating systems give you the option of creating multiple user accounts with different privileges. Consider reading your email on an account with restricted privileges. Some viruses need "administrator" privileges to infect a computer.
  • Only use approved virtual meeting services using unique PINs or passwords for each attendee and instructing them not to share them.
  • Using a dashboard feature so you can see who all the attendees are at any time.
  • Locking the call once you have identified all the attendees and lines in use.
  • Encrypting recordings, requiring a passphrase to decrypt them, and deleting recordings stored by the provider.
  • Only conducting web meetings on organization-issued devices.
  • Use a "green room" or "waiting room" and don't allow the meeting to begin until the host joins.
  • Enable notifications when attendees join by playing a tone or announcing names. If this is not an option, make sure the meeting host asks new attendees to identify themselves.
  • If available, use a dashboard to monitor attendees - and identify all generic attendees.
  • Don't record the meeting unless it's necessary.
  • For web meetings (with video), disable features you don't need such as chat or file sharing. 
  • Before anyone shares their screen, remind them not to share other sensitive information during the meeting inadvertently.
  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
  • Do not reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Don't send sensitive information over the Internet before checking a website's security.
    • Pay attention to the Uniform Resource Locator (URL) of a website. Look for URLs that begin with "https" - an indication that sites are secure - rather than "http." 
    • Look for a closed padlock icon - a sign your information will be encrypted.
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
  • Install and maintain antivirus software, firewalls, and email filters to reduce some of this traffic.
  • Take advantage of any anti-phishing features offered by your email client and web browser.
Remote Work Resource Center

Securing Your Remote Workforce

Identify Risk

Compliance starts with visibility. Conduct a 360° Security or Compliance Benchmark assessment.

Incorporate a Framework

Classify data according to the most relevant and restrictive compliance frameworks. Customize controls to meet organization-specific requirements.

Enforce Policies

Maintain data protection and retention policies, monitor user access, and field suspicious activity. 

6 Ways to Keep Your Information Secure

6 Ways to Keep Your Information Secure

  • circle-item
  • Avoid Unsolicited Links

    Don't click links or download attachments from unsolicited emails. If you did not request the information, delete the email. 

    Avoid Unsolicited Links Avoid Unsolicited Links
  • Rely on Vetted Sources

    Use trusted sources - such as legitimate, government websites for updates about COVID-19.

    Rely on Vetted Sources Rely on Vetted Sources
  • Multi-Factor Authentication

    Always use MFA when accessing resources over the internet. MFA protects against compromised credentials.

    Multi-Factor Authentication Multi-Factor Authentication
  • Be Wary of Social Engineering Attacks

    Social Engineering is designed to get you to do something you usually would not do, like providing access to a building or your computer. Social engineers can take many forms, a phone call, text message, or email.

    Be Wary of Social Engineering Attacks Be Wary of Social Engineering Attacks
  • Watch Out for Phishing Attacks

    Phishing Scams and Smishing attacks are increasing. Like a majority of threats, these are designed to get you to give something up, like your user name or password, money, etc. For our Office 365 clients, Microsoft will NEVER ask for your credentials uninitiated.

    Watch Out for Phishing Attacks Watch Out for Phishing Attacks
  • Use Managed Wireless

    If your employees are working from home, you need to ensure your business data is secure. By implementing managed wireless, you have greater control over mobile and personal devices.

    Use Managed Wireless Use Managed Wireless