While changes to work arrangements and anxiety about the rapidly changing situation across the world present challenges, some people who wish to profit from others’ troubles have seen opportunities to take advantage of the situation to break into computers and steal private data. This behavior is reprehensible, but fortunately we can all still practice good habits to keep our computers and data safe from those who would try to steal it.  Since criminals are trying to trick those they target into opening dangerous files or installing software, we can be aware of these tricks and not fall for them. The types of attacks are not new; only the pretext stories used to trick people have adapted to world events. Look out for scams that offer work from home, fake applications to receive unemployment or government stimulus checks, and any email that appears to come from the CDC.

If possible, only use a company-provided computer to log in to your corporate resources. Companies with strong security programs or a third-party security provider will have installed endpoint monitoring software on company-owned computers and will monitor for any suspicious events that happen on those computers to keep them safe and quickly detect attempted attacks before they can cause widespread damage. On whatever computer you use, be sure to have an anti-virus program installed and up to date. Install all of the software updates that are available for your software, especially email and web browsers. Most of these updates fix security problems that, if you leave them unfixed, can allow an attacker to take advantage of the security flaws to gain control of your computer and steal information. Check the router (the box from your internet service provider that connects to the outside line) to see if security updates are available and install those.

As always, be cautious with any email sent directly to you that has an attachment or links to download a file. Email is the most common way that attackers target potential victims to compromise computers. Most often, the attacks that we see use a Word or Excel file that will run malware if the “Enable Content” button is pressed. The attacker will try to convince the recipient to click that button, so any message you receive that makes a big effort to convince you to click “Enable Content” should raise red flags. The other most common technique we see is for a malicious executable (.exe) file to be hidden inside a zip file. Be careful not to double-click files inside a zip file, especially if the file extension is .exe, .bat, .vbs, .vbe, or .ps1. All of those files can run harmful code on your computer and give an attacker remote control of your files.

One best practice is to use chat or a phone call to verify any strange-sounding instructions received over email before carrying them out. Attackers may send email to employees at a company they are targeting stating that a new procedure is about to be implemented for payroll that requires all employees to re-enter their bank information in a new website, or log in to a new website with their corporate account password to set up some new service. If it seems a little strange, use chat or a phone call to quickly bring it to your manager’s attention so that if it is a trick, other employees can be notified not to fall for it. Don’t reply to the suspicious email to check if it is legitimate. Watch out for email messages that come from outside your company but use a display name or similar email address to make it appear that they are from inside your company.

Carefully check the address of any website that appears to have an Office 365 login page. We often see fake login pages that look very convincing, but they are set up on websites that are not operated by Microsoft and a careful check of the website address is the only clue that reveals the trick.

If you have been tricked into giving up a password, inform your IT team right away and ask them to help you reset your password. Attackers can be quick to make use of stolen passwords, so prompt notification is the best way to cut their access short and mitigate any harm that they may have already started.

Don’t install apps on your phone that you downloaded from a website or received links to in an email or text message. Go to the app store (for iPhones) or Google Play (for Android) to find well-reviewed apps. The iPhone won’t even allow you to install apps from other sources (unless it is jailbroken) because they can be so dangerous. Malicious mobile apps can steal passwords, private photos and documents, listen in on conversations and calls, or lock up your phone to demand a ransom.

Cybersecurity can seem confusing and difficult, but you don’t have to understand everything about it to practice safe habits and keep your company’s data safe. Being aware of the tricks that attackers try and thinking twice before opening attachments or clicking links from email goes a long way to protecting computers whether they are remote or in the office. If your company has an IT Security team or a security service provider that watches over all the company’s computers around the clock, you can feel even more confident that attempted attacks will be quickly detected and stopped.