Staying Cyber Safe While Working from Home

Following the outbreak of COVID-19, many people are working remotely for the first time ever. Times of crisis are ripe for innovation, and many businesses and institutions will ultimately find new ways to operate in a virtual environment that benefit their customers in the long run. Unfortunately, criminals also see crises as opportunities.

While some newly remote workers have the benefit of working on company laptops with the strict security measures that come installed on that equipment, others have converted less-than-secure home computers to remote desktops, or are relying on cloud-based tools to save and share work. Paying attention to cyber security is more important now than ever.

Phishing, which refers to nefarious attempts to induce people to reveal personal information, click on dangerous links, or open dangerous attachments, is nothing new. Hackers have been exploiting this tactic since the invention of email. What's new is the accuracy and sophistication of such techniques. Whereas phishers of the past cast a generic wide net (e.g., a Nigerian princess wants to send you her fortune), "spear phishing" has become more common.

Spear phishers do their homework. They research targeted recipients on organization websites and LinkedIn and tailor the message text directly to the recipient. The personalized content is intended to build trust and credibility with the recipient, so that they are more likely to click a link, open an attachment, or hand over personal information.

The email above is an actual recent example of a spear phishing attempt. This email, which pretends to be from 2020 SPIE President John Greivenkamp, got a lot of things right. The institutional information in the signature is accurate, including Greivenkamp's leadership role as SPIE President. It links together two other SPIE volunteers who could plausibly know each other.

Fortunately, the recipient of this phishing attempt saw enough incongruities to raise suspicion, and reported it to SPIE.

Before clicking a link, hitting reply, or opening an email attachment, look for these common signs of phishing:

1. The message is sent from a public email domain, like Yahoo or Gmail. This may be normal if the email came to a non-work email account from a personal acquaintance, but no legitimate institution will use a Gmail address.
2. The email creates a sense of urgency. If the sender wants you to do something immediately, that's a good reason to pause.
3. The message is poorly written. Look for bad grammar and punctuation.
4. The message will include suspicious attachments, links, phone numbers, or calls to action.
5. The domain name could have subtle or glaring misspellings, such as @SPI3.org instead of @SPIE.org.

If you receive an email that raises suspicion for any of these reasons, here are the Dos and Don'ts:

1. Don't click any links, open attachments, or contact anyone it tells you to.
2. Don't hit reply.
3. Do contact the purported sender via an email address or phone number in your personal contact list and ask if they sent it.
4. Do mark the sender as junk or spam.
5. Do delete the email, then delete it from your trash.

Spear phishing is just one method used by hackers to infect computers with malware or ransomware, or attain personal information. They also prey on weak passwords, reused passwords, insecure public Wi-Fi, malware-infected USB drives, and a host of other malicious methods.

As you adapt your work to the new reality of a remote office, be on the lookout for ways to innovate. But also be aware that hackers are doing the same.