Gone phishing: why workationers can’t afford to let their defences down this summer

Zscaler is a Business Reporter client.

Armed with an ever-growing arsenal of bait, hackers have gone phishing this summer – many looking to lure unsuspecting ‘workationers’. As the trend for distance working sees more employees mixing business with leisure, organisations will need to double down on cyber-security to thwart increasingly sophisticated social-engineering attacks

A stream of out-of-office messages signal that summer is upon us. And even those unable to log off completely are taking advantage of the rising trend for “workations” – heading off to a holiday spot to work in a more relaxing environment for a while. This flexible take on WFH has given rise to a new acronym: WFB.

“Working from the beach” allowances are an attractive staff-retention benefit in an increasingly competitive jobseekers’ market. And one that many employees are using, with research from Finder UK highlighting that one in five Brits plan to work remotely from another country this year. Unsurprisingly, summer months are a natural choice for booking these workations.

So why should the latest iteration of remote work make employers sit up and take notice? One word: phishing. The Zscaler ThreatLabz 2023 Phishing Report brought us up to speed on what is already the most popular attack vector used by hackers: phishing attacks rose by nearly 50 per cent in 2022 compared with 2021, with every indication that the trend is continuing this year.

This is especially concerning considering WFB staff in a relaxed holiday setting are more inclined to let security hygiene slip and make for easy targets.

For a start, their remote location means there’s no open-office chatter where they might have an opportunity to mention a suspicious request to a colleague or ask for a second opinion before clicking. In a bid to get back to their families as quickly as possible, they may also be trying to rush through tasks with minimal thought.

Another factor raising the risk profile of workationers is that they are more likely to be working from a personal device with weaker security, more routes for attack (such as SMS and WhatsApp), and a smaller screen. The latter leaves less room for users to spot more subtle signs of a scam in text or email-based attacks – an incorrect email-address, for example.

On that note, while we’ve long since learned that, while being offered a large amount of money by a stranger in an unsolicited email is too obviously good to be true, today’s phishing attacks are getting harder and harder to spot. This is the case even when you’re not distracted by scenic surrounds while workationing. And no one is immune, not even those working in cybersecurity…

At the start of this year, one of our sales directors received a phone call that claimed to be from our CEO Jay Chaudhry. Showing his caller picture on screen, the sales director heard Jay say: “Hi, it’s Jay. I need you to do something for me,” before the call cut off. A WhatsApp message continued: “I think I’m having poor network coverage as I am traveling at the moment. Is it okay to text here in the meantime?”

The unusual request that followed was for help moving money to a bank in Singapore. When the sales director approached their manager for guidance, the manager knew something was off and alerted internal investigators. This team quickly discovered that cyber-criminals had reconstituted Jay’s voice from clips of his public remarks to try to steal from the company.

This elaborate example of social engineering, which isn’t a standalone case, highlights the level of sophistication businesses must contend with. Driven by increasingly smarter AI tools, phishing has evolved from less-believable text-based spoofing into incredibly persuasive voice-led attacks, which have been dubbed “vishing”.

Successful vishing requires an understanding of the social dynamics of a targeted company. Hackers know that less senior staff and newer recruits aren’t likely to ignore “urgent” requests from the C-suite. Additionally, top-level executives are interviewed by media and featured in company marketing efforts, meaning their voice is more likely to be out in the public domain. Essentially, the voices of executive team members can be weaponised into the perfect bait.

What do vishers want? Their goal is to lure victims into unwittingly taking actions that defraud their companies or get them to click on malicious attachments that open the door to far more serious threats such as ransomware attacks.

Ransomware is something companies are already fearful of, while phishing doesn’t typically get as much attention. However, it should have businesses worried. Phishing is often used as a form of reconnaissance to help hackers harvest confidential or personal information that is used to pull off bigger targeted attacks down the line, when stolen credentials are sold on the dark web.

It’s a comparatively simple, low-key way for bad actors to gain a small foothold in an organisation, via a single target’s laptop for example. For a price, access to this valuable entry point can then be shared with ransomware groups who would use it to move laterally throughout the larger connected network.

So what should companies be doing to ensure their staff don’t fall victim to phishing scams while they’re “out of the office” this summer season? Adopt a cloud-based, zero-trust network access (ZTNA) strategy that streamlines secure distance working.

A zero-trust architecture significantly reduces the attack surface and helps stop damage from phishing. How so? For example, it prevents data loss by inspecting and protecting data at rest and in motion, and it eliminates lateral movement by malware, preventing compromised assets from infecting other resources. This is because users are connected directly to the apps and resources they need, never to the network itself.

Companies looking to remain attractive in the eyes of increasingly sought-after talent needn’t skimp on security protocols. They must simply evolve their security mindset from a network-centric to user-centric approach with ZTNA. This gives them greater peace of mind when offering work-life balance to employees looking to make the most of their summer.

For more information, visit zscaler.com.