An email pops up while you’re in the makeshift office space that you threw together to work from home. Your favorite video-streaming service needs an updated password — or so it appears. You click on the provided link and enter the information. But in your haste, you’ve actually entered sensitive information into a decoy login set up by a cyber criminal.
And now, potential malicious content has been exposed to the laptop, tablet or phone you’ve used for recreational and work purposes while social distancing.
This is just one scenario that Silicon Valley workers face after the sudden jump to remote work due to the COVID-19 outbreak, according to regional cybersecurity experts. The rush to operate businesses of all kinds remotely has created a rich environment for hackers to trick people into clicking on malicious links, entering passwords into fake login prompts and a host of other activities to steal personal information and even gain access to employers’ sensitive data.
In April, Mountain View-based tech giant Google reported that in one week it saw 18 million daily malware and phishing emails related to COVID-19, plus more than 240 million COVID-related daily spam messages. In March, San Carlos-based network security firm Check Point Software Technologies reported more than 4,000 coronavirus-related domains registered globally, with 3 percent malicious and 5 percent suspicious. Coronavirus-related domains are 50 percent more likely to be malicious compared with ones registered during the same period.
“That is the playbook — find a crisis and create campaigns around the crisis,” said Jerrod Chong, chief solutions officer at Palo Alto-based Yubico, which makes physical security keys for people to use to log into devices.
The experts interviewed by San José Spotlight say they’ve seen cybersecurity ploys ranging from fake mask sellers to fake websites for the Olympics. Criminals have even used bogus stimulus payment and COVID-19 vaccine information to elicit sensitive data while pretending to be from organizations like the U.S. Centers for Disease Control and Prevention.
Cybercriminals in 2020 range from actors working on behalf of foreign nations to hobbyists who buy tools and email address lists online. “If it’s too good to be true, it isn’t true,” Chong said.
Now that employees are used to working remotely, it’s not too late for employers to rethink cybersecurity measures, said Sam McLane, chief technology services officer at managed network security company Arctic Wolf.
Some of the Sunnyvale-based company’s clients initially chose to give wide-open access to employees. Arctic Wolf has been advising those clients to rethink which employees have access to certain types of sensitive data from home.
McLane, who’s been a remote worker for about 25 years, said the technology behind what enables work from home has largely remained the same in principle over time. What’s changed is the ease of getting closer to high-value targets like company CEOs and research scientists in the age of social media. Cyber criminals are well-practiced at figuring out a target’s social network and using that information to gain passwords and eventually reach data to sell.
“Having a corporate device on a personal network is not the worst problem,” McLane said. “The bigger problem is the human.”
Large-scale businesses and those that handle sensitive data as part of their daily work have been largely sold on better cybersecurity initiatives. Data breaches for companies like Equifax and Home Depot have left corporations eager to stay protected and out of the headlines.
But even small- to medium-sized companies — especially those that collect customers’ credit card information — can benefit from adding tools such as multiple steps for customers to prove they are who they say they are (a process called multi-factor authentication).
And customers have become more understanding and expectant of enhanced security measures to use social media and log into online banking portals.
“This is the oldest tradeoff, security and convenience,” said Ahmed Banafa, a cyber security expert and engineering professor at San Jose State University. “Where do we find the sweet spot where everyone is happy and everyone is secure?”
Small business owners interested in boosting their cybersecurity can expect to spend around $300 a month, Banafa said.
A rule of thumb is whatever companies spend on employee email accounts, spend that amount again on cybersecurity, McLane said.
But for Chong, even basic protections go a long way. Don’t ignore updates to devices and apps — versions become outdated sometimes due to newly discovered security flaws, and you’ll want your software to have the latest fixes.
Contact Wade at [email protected] or follow him @WadeMillward on Twitter.