By: Dan Reith BA(Hons) CAIB
Reith & Associates Insurance and Financial Services Limited
When the global covid-19 pandemic sent our country into lock-down many workers were sent to work remotely from home. For many the notion of cyber threats may not have been a concern, given the locked down and office displacement was only originally intended to be a short-term need. Many months later, while most of our province is in Phase 3 of re-opening, despite the threat of a second waive and a possible return to lockdowns, many are still working remotely and here is where the problem lies.
According to the Canadian Centre for Cyber Security (CCCS), cybercriminals have increased their attempts to identify and exploit individuals working from home since the COVID-19 pandemic began. Cybercriminals view remote workers as ripe for exploit due to the fact that many individuals are relatively inexperienced with remote working. What’s more, home networks are generally less secure than those at the workplace.
Many cybercriminals are using social engineering strategies to exploit vulnerabilities in remote workers. Social engineering is the act of accessing information, physical places, systems, data, property or money by using psychological methods, rather than technical methods or brute force. Social engineering scams rely on exploiting psychological weaknesses and blind spots in order to convince victims to give social engineers what they want. These scams are common and are especially dangerous as remote work becomes more widespread.
Common Social Engineering Scams
There are many different types of social engineering scams, each utilizing different strategies to prey on people’s curiosity and trust. Some of the most common social engineering scams include:
- Phishing is when a cybercriminal attempts to obtain valuable information by tricking people into visiting a fake website or clicking a link that installs malware. This is typically done via email or text message. While phishing may be used to target specific individuals, such as a person of authority at an organization, it is often a mass untargeted attack.
- Baiting is the offer of a reward (e.g., a monetary prize or discount) for taking a course of action, such as clicking on a link. Baiting can also be a physical attack. For instance, a malicious party might leave a USB marked “confidential” in public, hoping someone will find it and plug it into their computer. Once plugged in, the USB could install malware or other malicious software.
- Quid pro quo involves a seemingly legitimate exchange wherein the targeted person believes they are receiving a good deal. For example, a malicious party may identify themselves as an IT consultant offering a technical service in exchange for login details.
- Pretexting is when someone impersonates a known co-worker or authority figure in an attempt to gain access to secure information.
How to Reduce the Risk of Social Engineering Scams
Fortunately, many social engineering scams can be prevented through these simple cybersecurity practices:
- Training—Train your employees to watch out for messages with odd text formatting from unknown or unusual sources. Something that seems legitimate at a glance often fails to hold up under scrutiny.
- Reinforce security—Stress the importance of never giving out logins or other valuable company information to an unidentified third party. Employees should never click links or visit web pages that they are unfamiliar with.
- Update software—Keep all software updated with the latest security features.
- Encourage teamwork—Encourage employees to contact the IT department if they receive a message that they believe might be a scam.
- Review insurance—Review your cyber insurance policy to ensure that your organization is covered in the event of a cyberattack. A sad reality is the majority of Canadian SME’s do not carry sufficient cyber insurance and rely merely on the basic limited extensions available under their general property and liability policy. Like any form of cover, cyber can restrictive or robust. No 2 policies provide identical coverage and price does reflect quality and depth of coverage. It is a fools errand to think you got “the same coverage” for less money. Have a knowledgeable cyber insurance professional review and help you select the right cover for your business.
To assess your exposure to cyber crime, check out our Cyber Risk Exposure Score card, available on through our website–www.ReithAndAssociates.com and from the Why Choose Us drop down menu, click on “REITH TOOLS” and download our Cyber Risk Exposure Score card. It is an ideal tool when completed to review with your IT provider and your cyber insurance provider to determine where holes can be filled with existing technology and them insurance.
Contact Reith & Associates Insurance and Financial Services Limited today at 519-631-3862 to learn more about how you can protect yourself from cyber threats and to discuss your current coverage.