20th April, 2020
A huge number of malicious cyber criminals have exploited the COVID-19 pandemic with phishing scams.
In the UK, the National Cyber Security Centre (NCSC) has detected more UK government branded phishing scams relating to COVID-19 than any other subject. A surge in home working has increased the use of potentially vulnerable services, such as video conferencing, which in turn amplifies the threat to organisations across the board.
Throughout the pandemic, the UK’s National Cyber Security Centre (NCSC) and the US Department of Homeland Security (CISA) have both observed a large volume of phishing campaigns. This involves the use social engineering techniques to persuade potential victims to click on a link or open a file in order to harvest valuable credentials or to deploy malware to compromise devices.
Many have imitated trustworthy sources such as the National Health Service, World Health Organisation (WHO) and Government departments such as HMRC.
The NCSC’s phishing guidance for organisations on mitigating against phishing attacks is split into four layers:
Layer 1: Make it difficult for attackers to reach your users
This can be achieved through:
- implementing anti-spoofing controls to stop your email addresses being a resource for hackers
- considering what information is available to hackers via your website and social media accounts and educate your users to do the same
- filtering or blocking incoming emails that are potentially fraudulent.
Layer 2. Help users identify and report suspected phishing emails
You are only as strong as your weakest link. The easiest way for a criminal to gain access to your data is through your people, even if you’ve got comprehensive cyber security measures in place.
Effective Cyber Awareness Training will help equip your team with the knowledge they require to prevent future cyber attacks.
Despite your best efforts, assume that your organisation will fall foul of a small percentage of phishing campaigns. Planning for this will minimise the damage caused to your organisation. It is important that you create a no-blame culture and a clear phishing incident reporting process.
Layer 3. Protect your organisation from the effects of undetected phishing emails
Implement the following IT security controls:
- two factor authentication (2FA) to protect your accounts
- user access control, which ensures user privileges are set appropritately
- use a proxy servier and up to date browser to provide protection from malicious sites
- malware protection
The NCSC’s Cyber Essentials scheme has been designed to help organisations achieve and maintain these controls.
Layer 4. Respond quickly to incidents
As is the case in many situations, the speed and effectiveness of the way respond to a phishing attack will also limit your exposure. It is imperative that you define and rehearse your incident response plan, including any legal requirements.
More details are available on NCSC’s website.
You can also find out more about protecting your organisation by visiting our Business Support Hub.
