Fear. Uncertainty. Doubt. Cyber criminals are using these tools to target your people with sophisticated COVID-theme social engineering attacks. Jenny Radcliffe shows you how to defend them. Credit: Tanium “To make your organization more secure, the answer is, was, and always will be in people.” Jenny Radcliffe is the Founder and Director of Human-Centered Security, a social-engineering-focused cybersecurity firm. Radcliffe is known as “The People Hacker”. She is hired by organizations to target their staff members with social engineering, and to leverage psychology and emotions to find vulnerabilities in the human side of their operations. When the pandemic struck, Radcliffe saw malicious actors take advantage of the chaos and leverage pandemic-themed social engineering within their campaigns. Here’s what Radcliffe saw. Criminals Take Advantage of the Chaos Radcliffe knew that criminals would see COVID-19 in a different light than most people. “What you have to understand about something as big as COVID-19, is that criminals are not looking at it the same way the rest of us are looking at it,” explained Radcliffe. “We look at it from a point of view of, ‘Will everyone be ok?’ But criminals are opportunists.” She was right. As soon as the pandemic struck, and workers were sent home, she saw scammers and con artists rush to take advantage of the situation. Criminals used every possible means of contact to reach their victims. Radcliffe saw a surge in phishing emails, spear phishing emails and smishing texts—all with new pandemic themes that used COVID-19 as a pretext to capture their victim’s attention. “In COVID-19 they used the narrative of the pandemic—the narrative of fear—to really construct the story behind those approaches, whether they came over the phone, or in person, or whether they come over social media or email,” explained Radcliffe. Criminals rapidly inserted themselves into the larger narrative of the crisis, and they leveraged the chaos of the moment to get people to take unsecured actions. “Criminals use the fear, the uncertainty, and the doubt—or FUD as we call it in the business—to create this atmosphere of uncertainty in people’s heads,” said Radcliffe. “In that atmosphere it seems easier to click on a link. It seems like an easy way out, and something we can do to get rid of this state of cognitive disarray.” The pandemic gave criminals the perfect playground to perform these tricks. Their victims lived in a heightened emotional state. They were flooded with communications. They had been separated from their colleagues and security staff. And Radcliffe watched the number of successful scams explode overnight. Closing Today’s Human-Centered Vulnerabilities While the initial chaos of the pandemic has calmed down, some things have not changed. Workers are still at home. They are still separated from their colleagues and security staff. And they still don’t know how to fight back against the scammers targeting them. For organizations looking to better defend their people against this ongoing wave of social engineering attacks, Radcliffe offers a few pieces of advice. “Going forward the same solutions are true for the pandemic and working from home as they would have been beforehand, it’s just a little more elevated now,” explained Radcliffe. “To make your organization more secure—post, pre, and during this pandemic—the answer is, was, and always will be in people.” Practically speaking, that means: Educate Your Staff: Make sure they have been taught what a threat looks like. Common red flags include someone asking them for too much information, or talking about money, or trying to rush them into a decision. Create Clear Lines of Reporting: Make sure your staff know who to speak to if they encounter a security problem—either they encounter a message that doesn’t look right, or they actually click a link or open an attachment that appears suspicious after-the-fact. Remove the Fear of Blame: Make sure your staff knows that they won’t be blamed if there’s an issue—even if the source of the issues is traced back to an incorrect action they accidentally took. To dive deeper into Radcliffe’s story, and to learn more about what happened when the world stayed home, explore world-at-home.tanium.com. Related content brandpost IT’s New Normal Recalibrating IT management and security for the post-COVID world By Michael Belfiore Oct 26, 2020 11 mins Security brandpost Long-Term WFH: How to Make it Secure and Sustainable The early days of the pandemic are over. The security decisions you made then may no longer serve you. Itu2019s time to establish sustainable visibility and control over your new environment. By Tanium Oct 19, 2020 6 mins Security brandpost Unified Endpoint Security: Short-Lived Hype or Long-Term Trend? The term "Unified Endpoint Security" is making headlines in the cybersecurity space. But what's the story behind it? And is UES just a hype or a sign of a bigger transformation? By Tanium Oct 19, 2020 7 mins Security brandpost Tech and Emotional Support for a Distributed Workforce: An IT Leader’s Perspective u201cThe real challenges were psychological,u201d says Willie J. Anderson II, Black Knightu2019s SVP for Distributed Infrastructure Services By Michael Belfiore Oct 07, 2020 3 mins Technology Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe