Video conference platforms are being used as a lure for phishing emails
With the use of web-based video conferences proliferating during the COVID-19 crisis, cyber security experts warn they pose a threat as well as an opportunity in the age of telework.
“In the past, we have seen certain teleconferencing applications or service providers being targeted because … they require you to download a piece of software and run it before you can use it on your computer, says EY Canada cyber security expert Chandra Majumdar.
He says criminals can take advantage of the situation to trick people into downloading software that can be dangerous or disruptive.
“While you think you’re downloading a remote meeting tool, it’s actually installing a piece of malware on your computer.”
This type of phishing campaign can be use used with a COVID-19 theme, Majumdar says.
And while he has yet to see proof of such a campaign in the current climate, Majumdar, who leads EY Canada’s national cyber threat management practice, says the company has been tracking an exponential growth in phishing emails with a coronavirus or COVID-19 theme.
Greg Young, an Ottawa-based cyber security expert with Trend Micro, says conditions are right for criminals to take advantage of the chaos unfolding across Canada and around the world.
“With any event there’s always going to be an increase in phishing but, in this case, specifically (targeting) unfamiliar users (with) unfamiliar applications,” Young says.
IDC Canada’s Megha Kumar says there are different categories of web-based platforms used for telework and many companies will use a combination.
Zoom, Microsoft’s Skype, and Cisco’s Webex are examples of video and audio conferencing applications.
Kumar, who is IDC Canada’s research director for software and cloud services, says a lot of “mid-market” organizations must suddenly accommodate a lot more employees doing remote work.
“For some of them, it might be the first time that they’re actually working from home,” Kumar says.
She says employers and employees alike have been forced to make some quick decisions but, over time, organizations will establish standards for what’s acceptable and will pick favourites.
Meanwhile, this period of uncertainty, quick decisions and experimentation is an opportunity for criminals to trick people with links or attachments pretending to be invitations to these services.
“That’s always a great formula for the bad guys to be successful,” Young says.
Several experts say that at-home workers should have at least consumer-grade virus-protection software on their personal devices, while organizations should have enterprise-grade software and, where possible, route all communications with employees, customers and vendors through a virtual private network (VPN).
However, they also note that everyone in an organization as well as friends and family at home has to be mindful of the human tendency to act emotionally and reflexively under stress.
“It’s natural to be curious about coronavirus and its implications to our way of life. However, don’t let that curiosity drive you,” Majumdar advises.
Take time to hover a cursor over any attachment or web link, to be see where it will take you. It may also make sense to call the sender or do some research on the web, he says.
“Trust no one,” he says.
“Verify every piece of information you see before you actually go ahead and proceed with your action.”