COVID-19 has had an extraordinary impact on the daily lives of all. Even in the fall of 2020, many people are working partially or totally remotely. And unfortunately, that has made bad actors pursue social engineering tactics with vigor.
Social engineering is a universal term for various ways of tricking someone to divulge information. This can take the form of phishing emails, phishing text messages, phone calls, or in-person visits from a malicious entity trying to gain sensitive information or access.
The increased dependence on remote work, online presence, email, and other networking software makes for a wide target for hackers. Social engineering is also popular due to its low complexity requirements to successfully accomplish, as well as its benefit of little-to-no cost for the hacker.
Hackers are capitalizing on the shift to remote work by sending more sophisticated phishing emails that look more and more legitimate. They are calling victims and pretending to be with IT departments to convince the victim to click a link or provide a two-factor authentication code so the hacker can bypass authentication controls. Bad actors are also posing as officials related to COVID-19 with government or health organizations, or insurance carriers. These attempts are ultimately to try to gain access or information or leverage or money.
Healthcare staff must stay vigilant against social engineering attempts in their various forms. The following steps can help thwart these attacks:
- Be suspicious of unsolicited contact from individuals seeking internal organizational data or personal information;
- Do not provide personal information or passwords over email or on the phone, or to individuals in person you do not know;
- Be wary of all links and attachments in email, and closely inspect the email address it came from;
- Be equally wary of requests for account changes or information via email alone – perform call-backs to verify over the phone first;
- Do not provide information about your organization to outside entities without proper authorization;
- Pay attention to website URLs that use a variation in spelling or a different domain (e.g., .com versus .net); and
- Verify a request’s authenticity by contacting or calling back the company or internal department directly.
Knowing and anticipating that social engineering attacks are increasing is a big step towards preventing a successful attack against your organization. And if you suspect a social engineering attack has taken place or was successful, be sure to notify your Security department as soon as possible for guidance and forewarning to them!