With much of Calgary’s workforce now confined to their homes and working remotely, much has changed in the organizations are handling their day-to-day business. Zoom calls are the new board meetings. Instant message is the new chit chat at the water cooler. And cloud-based storage and collaboration is the way most daily work gets done.
With this in mind, it makes sense that cybersecurity should have changed too. Unfortunately, many organizations that CTECH Consulting Group speaks with aren’t up-to-date on the new ways that hackers are targeting their victims. Recently, Microsoft warned its users to protect against new kinds of cyberattacks — namely, something called consent phishing.
What Is Phishing?
Before we launch into what consent phishing is, let’s talk general phishing attacks for a moment.
Phishing is a criminal scheme used by hackers to obtain login credentials, personal and financial data, and other information from victims who work online. These victims may be individuals, companies of any size or industry, and even schools and government agencies. Anyone can become the victim of a phishing campaign.
Traditional phishing campaigns generally see the cybercriminal posing as a company or individual that the target trusts. If you’re the target, this may be your friend, a co-worker, your boss, your personal bank, or a credit card company that you have a credit card with. For example, you might receive an email from your financial institution that says your account has been hacked, and you need to confirm your login and password in order to protect your assets.
It’s amazing how realistic hackers can make these emails look. Many people succumb them by thinking they are real and doing what the instructions tell them to do. This, unfortunately, is how hackers gain access to your sensitive data and/or steal directly from you.
What Is Consent Phishing?
Consent phishing is slightly different than traditional phishing in that it spurs the user to freely hand over login credentials through authorization within an app.
In a consent phishing attack, an individual will be prompted to allow an app (a malicious/fake one) to access their personal information.
To this, many people will say: “I would never let a random application have access to my personal data.” While this is a good point, hackers are extremely tricky in their schemes to get this prompt in front of you. First off, says Microsoft, “The app is configured in a way that makes it seem trustworthy, like using the name of a popular product used in the same ecosystem.” Next, traditional phishing methods will be used to get you to click on the app link. Or, you might even get there from a non-malicious website that you normally trust, but that has been compromised.
Once the prompt is in front of the user, it just takes one click or tap to grant the app permissions to access your data. Microsoft says that “If the user accepts, the attacker can gain access to their mail, forwarding rules, files, contacts, notes, profile, and other sensitive data and resources.”
Why Is the Risk of Consent Phishing So High Right Now?
Consent Phishing is an especially popular hacker’s scheme right now because so many workers are accessing their companies’ sensitive data from home — on personal devices.
Right off the bat, that’s dangerous. Personal devices usually don’t have the cybersecurity features that at-work computers and other devices do. This means there are no built-in protections that will either flag compromised websites, emails, and apps as dangerous, but there are also no measures to block adware, ransomware, and other malicious software. In addition to devices and programs being vulnerable, the Internet connections being used (both Wi-Fi and personal data) are usually unprotected as well.
How Can My Organization Mitigate the Risk of a Cyber Attack During the Pandemic?
Traditional phishing schemes and now consent phishing schemes are real threats to your business, and they can happen at any time. Again, any business or organization — no matter what industry you’re in, what your worth is, who your customers and clients are, or how many employees you have — is at risk of being attacked by cybercriminals.
The absolute best way to keep your company protected is to work closely with a managed services provider with extensive experience in cybersecurity. They will be able to provide you with concrete measures you can take to mitigate your risks and keep your company and data protected. Many cybersecurity professionals can even provide you with protective programs and other measures that will extend to remote workers and their at-home devices and Internet connections at well. This is key right now as most of the workforce will be working from home indefinitely.
Speak to your managed services provider today for more information on keeping your organization protected from cyber attacks.