How employees can protect themselves from social engineering attacks via email and telephone
Expert panel discusses the human factor in IT security as part of the Internet Security Days (ISDs) on 16–17 September 2021
With many employees working from home, the risk of falling victim to phishing attacks has increased for many companies. “In the home office, many people lack the possibility to quickly discuss suspicious emails or calls with colleagues. Without the helpful office grapevine, companies should sensitise their employees in other ways,” says Markus Schaffrin, security expert and Head of Member Services at eco — Association of the Internet Industry. “Employees are relatively isolated at home and more at the mercy of their emotions, which attackers may take advantage of.”
Remote access to corporate data is standard today, so cybercriminals focus specifically on security vulnerabilities in this environment. According to a finding of the eco IT Security Study 2021, for years the greatest threat has been coming from ransomware. Criminals try to place blackmail Trojans in IT systems using malicious code in order to encrypt them, steal customer data and demand a ransom. However, companies should not pay this under any circumstances, advises the German Federal Office for Information Security (BSI).
Voice phishing attacks (vishing) on remote workers are on the rise
“Unfortunately, phishing attacks with subsequent blackmail of German SMEs are still a lucrative business for cybercriminals,” says Dr Niklas Hellemann from the Cologne-based IT security company SoSafe. According to his findings, IT managers, in particular, have been increasingly attacked since the beginning of the pandemic. “Cybercriminals are constantly adapting the attack vectors, which can be difficult for employees to recognise them. Those who work alone in a home office, for example, are particularly at risk of falling victim to voice phishing (vishing) attacks and revealing sensitive information over the phone”
Niklas Hellemann and Markus Schaffrin discuss strategies against phishing at the Internet Security Days (ISDs) on 16–17 September 2021. >Here are 7 tips for IT managers to pass on to all employees working from home in order to sensitise them and protect them from phishing attacks:
- Be constantly aware that cybercriminals could try to gain access to company systems at any time with your help. Attend training sessions on a regular basis.
- If you are unsure whether you may have been the victim of a phishing attack, please report it immediately to your IT manager(s) and forward the relevant email. Also inform management if you have passed on critical information over the phone.
- Never share personal information such as passwords, credit card or transaction numbers via email, messaging service, social media or on the phone. This might sound obvious, but you are more vulnerable to manipulation, influence and deception while working from home.
- In general, avoid clicking on links in emails that lead to log-in pages. Instead, save addresses to the frequently visited log-in pages in your browser’s favourites list or surf to the named page via the homepage of the organisation in question.
- Do not click on any links that you receive by SMS, as it is particularly easy to forge the sender. Smishing / SMS Phishing is a method of attack via text message or SMS calling to follow a link or call a number. Surf to the sender’s page directly in the browser instead.
- Never start a download link directly from an email if you are not one hundred percent sure; instead, if possible, always start downloads directly from the ’provider’s website.
- Before opening files attached to an email, make sure that the email really is from a trustworthy sender. If in doubt, contact the sender by telephone to make sure that the email really came from them.