Social engineering threats during the health pandemic

by John Hay

20 May 2020

A person typing on their laptop

The current COVID-19 pandemic has much of the workforce and pretty much all students working and studying from home. This, coupled with travel restrictions and stay-at-home orders in many jurisdictions, have most society restricted to their residences.

Many are increasingly seeking entertainment and a means to socialize with family and friends they can’t visit with in-person. When people get bored, they tend to turn to the internet and specifically to social media. Boredom and the feeling of safety and comfort within their home can create an environment ripe for lax security practices and not following good cyber-hygiene.

Working from home

It’s also important to note that many workers may have their company-owned laptops, tablets, and other equipment connected remotely to their company’s network and servers with them. They may be using these work devices on social media while not subject to the same supervision that they would in their office. Many may feel safe using company equipment for personal use while working from the comfort of their home and without a manager nearby. This presents additional security concerns.

A person sitting on the floor and typing on their laptop

Some users may forget to follow, or not be aware of, company security policies when not in the office Social engineering ‘games’

All too frequently, questions are passed around on social media inviting friends and family to engage in the ‘game’ of answering personal questions. These are marketed as a means of getting to know one another better, to learn new things about your friends and to pass time. Unfortunately, these games can carry unforeseen risks. Providing truthful answers to question such as current occupation, favorite pet, first job, favourite food and first car provides a lot of information that can be used against you. Spammers can send unwelcome invitations they believe you would be interested in based on these answers. Attackers engaged in phishing campaigns can send targeted phishing emails tricking you into clicking on malicious links and attachments. Threat actors collect this data to aid in obtaining passwords and answering security questions.

This information, combined with other data available about each of us on the internet, exposes us to a greater risk of being victimized.

Protect your information

These questions that are passed around on social media are a form of social engineering and those forwarding requests to play these games don’t realize they are facilitating the misuse of this information. You can be tricked into providing information that could put you and your account credentials at risk. Threat groups collect this information and can use it to further whatever their illicit business objectives, whether using the information themselves, offering it for sale via illicit online forums (the dark web) or selling it other threat groups. Any of these can raise your risk to becoming the victim of identity theft and other financial crimes as well as placing your personal and work accounts at risk.  

It’s a sad fact that scams, threats and other malicious activity increases during times of crisis. Those who seek to prey on the public will take advantage of those perceived to be vulnerable to attack. Remain vigilant and practice good cyber-hygiene to reduce the risk of becoming a victim and help protect those around you.

John Hay

John Hay

Senior Incident Response Analyst