Chad Thunberg

Responding to the rising wave of social engineering attacks against remote workers

By now, it’s clear the pandemic has provided perfect conditions for many types of social engineering attacks. We’ve seen plenty of reports and warnings from the FBI, CISA, Interpol, and other reputable organizations about the growth in coronavirus-related attacks, from spear-phishing to vishing, ransomware, and more, as the world adapts to remote working and its associated risks. 

In many ways, social distancing and remote work have created more fertile conditions for hackers, but the types of social engineering attacks we’re seeing today aren’t too different from what we’ve seen in the past. So, why are we still seeing major breaches making news headlines on a regular basis? 

If history has taught us one thing it’s that hackers will always capitalize on the human element. Uncertainty, fear, distraction, isolation, and confusion can all contribute to increased vulnerabilities among users. And as we continue to face a rapidly shifting global news agenda, we can’t possibly anticipate the next twist in the pandemic or major news event that opportunistic hackers will exploit. Look at the rise in phishing attacks related to COVID stimulus and relief for example. 

We expect to see continued social distancing and increased virtual interactions long after the pandemic subsides, which means that enterprises must rely on strong authentication to protect against the rising wave of social engineering attacks. As we lose confidence in the security of systems and information with an increasingly decentralized work environment, it’s critical to re-establish trust with your users. Here’s how:

Employee education and training is not enough.

Educating employees to be on the look-out for COVID-related scams, while essential, is not a comprehensive response. No matter how much user education about phishing or social engineering takes place, some attacks will still succeed. As long as user action is required, and there is a reliance on users to identify phishing and man-in-the-middle attacks, vulnerabilities will continue to be an issue. 

It’s time to overhaul your 2FA strategy.

Organizations cannot afford to continually rely on passwords, recovery questions, or basic two-factor authentication (2FA) to protect against future social engineering attacks. These are methods proven time and time again to fall short in the face of mobile malware, SIM swapping, and phishing attacks. Hackers are getting more savvy, and we must as well. 

User experience is critical to your organization’s safety.

In a world where we are physically remote from coworkers or IT, and juggling home and work life, strong authentication must work at scale on a variety of devices, across business-critical applications, and within different environments. The better the user experience, the easier it is to deploy across and to secure the enterprise — unlike complex point solutions that only protect a niche set of users.

So, yes, the rise in COVID-related attacks is a real and present danger. But we can’t assume this is a temporary threat or unique to COVID. It is simply the latest version of an ongoing rise in social engineering attacks that demands a stronger response. Every day we are helping businesses large and small adapt to their new normal. Are you ready for yours?

Accelerate your digital transformation with hardware-backed strong authentication for your leading cloud-based services. Google Cloud, Microsoft Azure Active Directory, and many other day-to-day business applications offer built-in and seamless integration with the YubiKey.