Phishing attempts versus SMBs climb 56% in Q1` amid COVID-19 pandemic
Phishing attempts against small and medium businesses (SMBs) forming the backbone of Southeast Asian (SEA) economies surged 56% in the first quarter of 2020, worsening as most people resorted to Work From Home arrangements, according to Kaspersky data.
The Philippines alone registered around 80,000 fraudulent emails, almost triple, versus the 29,677 in the same period last year.
Cybercriminals targeted companies with 50-250 employees and made 834,993 phishing attempts against them in the first three months of 2020.
Phishing is one of the most flexible types of social engineering attack, as it can be disguised in many ways and used for different purposes.
Social engineering attacks, or tricking the mind, exploit human emotions to victimize users online.
Cybercriminals are also incorporating topics and “hot phrases” related to COVID-19 into their content, boosting the chances of their infected links or malicious attachments getting opened.
The damage of this online crime ranges from hacked companies’ networks to stolen confidential data like personally identifiable information (PII), financial credentials, and even corporate secrets.
Phishing attacks, particularly those with malicious link or attachment, are popularly used as launch pads for targeted attacks on organizations, such as the case of the $81-million Bangladesh Bank
Heist.
In terms of per country statistics, all of the six countries in SEA registered an increased number of fraudulent emails blocked by Kaspersky this first quarter.
“The financial toll combined with the urgent need to adapt to a forced remote working arrangement without enough preparation put the IT security of SMBs on the edge. At the same time, cybercriminals are piggybacking on the current chaos to increase their attacks through social engineering tactics like phishing," noted Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky.
Kaspersky experts suggest several tips for SMBs to avoid being lured by cybercriminals through phishing.
First, they should teach employees about the basics of cybersecurity.
For example, not opening or storing files from unknown emails or websites as they could be harmful to the whole company, or to not use any personal details in their passwords.
In order to ensure passwords are strong, staff shouldn’t use their name, birthday, street address and other personal information.
Secondly, they should regularly remind staff of how to deal with sensitive data, for example, to store it in trusted cloud services that need to be authenticated for access and that it should not be shared with untrusted third parties.
Third, enforce the use of legitimate software, downloaded from official sources.