At the time of writing we are heading into Christmas, we’ve just started the traffic light system, we are getting our vaccine passports, and there are new variants of Covid spreading. Spammers and scammers take advantage of events like these (and the confusion and anxiety that comes with them) to rip us off. So do something about it before the spam hits!
If you watch the security news like I do you’ll know that spammers and phishing gangs quickly adapt their messages and techniques to the latest events. Because their whole modus operandi is to take advantage of fear, people’s better impulses and the urgency of disasters they quickly seize the opportunity when events occur that generate any of these moods in the public. They change what the message is about, they change the appeals (this one is fear, this one is our charitable impulses), but they don’t change fundamentally what they are after: money, identity information, credentials.
In the aftermath of the Christchurch massacre spammers sent emails pretending to be from charities requesting urgent funding. When the US government announced a programme of Covid-19 financial aid, spammers sent emails pretending to be from the government with links to apply for assistance: just provide all your identity details and you’d get your money…oops no you wouldn’t! Every Christmas there are parcel collection scams.
Most organisations I’ve been part of see these messages (usually from diligent staff reporting them) and then issue reactive comms: “We’ve seen spammers sending emails about this: beware!”
But why do they wait? We all know that this will happen after a major event. So be proactive. Use our common sense. Warn our people before they get the first email, before the first person clicks on that link. Wen we get the message out before the bad guys do we cut down the chance that someone will be fooled by the first email and we cut down the chance that our people or our organisation will suffer.
It is easier if you have some things in place that you can quickly turn to when one of these events occur. Here are some things that I do, and that you might find useful too:
- Have an action plan in place. Know what you will do when a major event happens.
- Have templated comms ready. Something that you can update for the specific circumstances. A blog post ready to go. An intranet news article, an all staff email. Coordinate this with any messaging or actions that your service desk or frontline staff will need.
- Know which channels you are going to use.
- Know who is going to send which messages.
- Tailor the advice to the specific event – don’t just send generic advice about spam and phishing.
- Remind staff of previous advice and training (what they’ve been told in awareness courses, other campaigns)
- Be aware that many of these campaigns will be aimed at staff from a personal perspective (they won’t just be looking to gain enterprise credentials, they may be trying to get personal credentials, or scam money off staff). While this isn’t our accountability, show some compassion, and maybe win some brownie points.
Do some of these things and you might just get ahead of the scammers – at least this time.