Phishing in troubled waters

Cyber attacks have spiked since the onset of the pandemic. How are organisations dealing with it?

Published: Jun 11, 2020 12:12:58 PM IST

Updated: Jun 11, 2020 01:27:29 PM IST

Image: Chaitanya Dinesh Surpur

An employee working from home receives an email from his human resources (HR) department with the subject line ‘HR release on Aarogya Setu’. In early May, the government said the use of the contact tracing app was mandatory for all public and private sector employees. With this in mind, he unassumingly opens the email and clicks the download tab. But instead of being taken to the Aarogya Setu app, he is led to a malicious URL. His laptop is irreversibly locked.

Ransomware, a type of malware that encrypts computer files, is often deployed through links in emails—called phishing attempts. Once it enters a computer network, as in the case of the unsuspecting employee, it starts stealing data. In exchange for a decryption key, the hackers demand a ransom.

The coronavirus pandemic and the sudden shift to remote working for millions of employees have presented cybercrooks with a one-of-a-kind opportunity. So much so that in mid-April, Google reported that in just one week, it saw a whopping 18 million daily malware and phishing emails related to Covid-19, sent via Gmail alone. This is in addition to the 240 million daily Covid-19 related spam messages Google saw.

Closer home, the Indian Computer Emergency Response Team (CERT-In), an agency within the ministry of electronics and information technology that deals with cyber security issues, noted that hackers were exploiting people’s fears around the virus. It warned that precautionary emails appearing to originate from the domain of the World Health Organization (WHO) were actually phishing attempts, as were other emails, SMSes (smishing) or WhatsApp messages (whishing) on topics like ‘relief package’, ‘safety tips during corona’, ‘corona testing kit’, ‘corona vaccine’ and ‘payment and donation during corona’.

Cyber criminals have also been impersonating video conferencing platforms like Zoom, Google Meet and Microsoft Teams. An employee might, for example, receive an email stating, ‘You have been added to a team in Microsoft Teams’. On clicking the tab, she is taken to a malicious URL, which captures her login credentials and personal information.

“India has seen a three-fold rise in cyber attacks since the pandemic. What we’re seeing is unprecedented in terms of the number and kind of attacks,” says Lux Rao, director, solutions and consulting, NTT (India). In its recently launched ‘Global Threat Intelligence Report’, the technology services provider noted that while attack volumes increased across all industries in the wake of the pandemic, the technology and government sectors were the most targeted, globally as well as in India.

So what are organisations doing to beef up their cyber defences? Infosys, for one, has long had a work from home culture. For up to nine days every month, employees are allowed to work remotely. “So we have the security and HR model in place to allow for this,” says Vishal Salvi, chief information security officer (CISO) and head, cyber security practice at Infosys. But they weren’t ready for remote working at this scale, he concedes. Plus they had limited time to prepare for it. In early March, when the extent of the pandemic wasn’t yet clear, Infosys started planning for an “ultimate lockdown” scenario, says Salvi. They acted swiftly and put in place the necessary infrastructure and security to enable work from home for all employees. He says, “The model existed, so we just had to scale it up.”

This included transferring employees’ desktops to their homes and getting permissions from clients to have their work carried out remotely. Importantly, they had to scale and strengthen their virtual private networks or VPNs. In offices, layers of a firewall offer protection from cyber intrusions, but that’s not the case at home. So companies use VPNs to connect to the office servers through a secure, encrypted “tunnel”.

Multi-factor authentication (MFA) also offers an added layer of protection, says Sajan Paul, managing director and country manager, India and SAARC, Juniper Networks—one of the world’s key security players. MFA requires employees logging on to company networks to use a time-based code, a hardware key or select an option in a smartphone app and enter a password. It means an extra step or two, but ensures heightened defences.

Simple measures like ensuring employees’ devices—if they are using their own—have up-to-date anti-virus software installed are also important, as are putting in place stronger passwords, says Paul. “We encourage our employees to update their personal device’s software to the latest version supported under Flipkart’s security policy to ensure optimum security,” says a Flipkart spokesperson.

Despite these security measures, organisations can get caught out. Even the more tech savvy ones. Take for example Cognizant, which in mid-April reported a Maze ransomware attack—a kind that exfiltrates or transfers data from a company to its own servers. To recover the data, the company must pay a ransom. If not, the attackers publish the data online. In a statement, the New Jersey-headquartered IT services provider said, “Our internal security teams, supplemented by leading cyber defence firms are actively taking steps to contain the incident.”

While legal recourse can be sought—in India under the IT Act, 2000—it might be a wasteful exercise. Says Rao, “These are faceless criminals, so who do you take legal action against?”

Instead, the best approach is to have a backup of all data. “Have a backup on the cloud, so in the event of a cyber attack, you can contain the computers that have been hacked,” says Rao. “In fact, just like coronavirus is contained by quarantining those infected, a computer virus is also contained by isolating the computers that have been infiltrated.”

Moreover, education is key. Employees must be made aware of hacking methods. “We tell our employees to be suspicious of unusual emails or messages even if they appear to originate from inside the company,” says Paul. Juniper has created online training modules, including quizzes relating to real-life scenarios, to help employees be more vigilant.

As work from home becomes part of the new normal, cyber security measures will remain in high demand. Says Salvi, “Cyber security has now become mainstream [as a result of the pandemic], even for mid-sized companies. You don’t need to sell the story anymore. We’ve reached a level of maturity and understanding for the demand to step up.”