The sudden and unprecedented migration to remote-working has made email scams the most lucrative weapon of cybercriminals.

As enterprises in the region scramble to procure IT infrastructure in a bid to improve telecommuting measures amidst the COVID-19 pandemic, COVID-19 has created a new wave of bigger challenges. Following measures to contain the virus spread in Southeast Asian (SE Asia) countries, cybercriminals have been increasingly taking advantage of remote-working schemes and increased online activity—rendering enterprises in the region more susceptible to cyberattacks.

Scammers have been increasingly trying to spread malware, intercept data and make money, hiding malware in attachments, links, and download options. These scams include ‘official’ information about COVID-19 in the form of a newsletter subscription, in an email attachment, or as a download option; offers for products in high demand such as respiratory masks, COVID-19 self-tests, and tracking apps; and security updates for the home office, among others.

If undetected, anyone falling for the scams can paralyze not only one computer, but as a worst-case scenario also lead to the death of the enterprise’s entire IT infrastructure.

The cost of poor email security

Given the ease and convenience of instantly sharing data with multiple recipients across the world, enterprises have been leveraging email as the primary channel for communicating internally and externally. However, relying significantly on email communication can make companies highly vulnerable to threats—especially with the surge in ransomware and malware proliferated through email amidst the fear and anxiety about the pandemic.

In recent years, there has been an alarming uptick in Business Email Compromise (BEC) scams across SE Asia. From January to September 2019, Singapore alone had lost a minimum of S$32 million in revenue as a result of reported BEC scams. These incidents involved scammers hacking and spoofing email accounts, possibly to trick recipients into sending transfers to their respective bank accounts, or to request confidential information they can use to their own advantage.

In some cases, BEC attacks can be highly sophisticated as scammers know who to specifically target in the organization. They may pretend to be managers and urge their employees to transfer money due to an emergency situation. These emails usually instruct employees to make the transfer urgently and to keep the request confidential.

Stepping up the enterprise email security game

Early detection of malicious content in emails is key to ensuring that enterprises do not fall prey to email scams, including BEC. Given that a large enterprise structure may not have clarity on reporting lines, it is important to put a proper system in place with the necessary technical capabilities for verifying sender authenticity.

To beat cybercriminals’ increasingly sophisticated social engineering tactics, it is recommended to invest in email security tools offering sophisticated email header analysis and specialized algorithms for detecting email spoofing. These would allow businesses to recognize technical irregularities in email headers and serve as an additional security guardrail that can prevent victims from being fooled with customized messages that are difficult to distinguish from legitimate emails.

Modern email security solutions today offer sandboxing features, which allow the testing of dubious attachments in virtual test environments through simulation procedures before these are even delivered to recipients. Anti-virus systems then neutralize the documents in question upon detection. Meanwhile, digital fingerprints allow businesses to search for further potential breaches, and this can further enlighten businesses on actions they can undertake.

Staff cyber vigilance is crucial

With 91% of all email-related security breaches emanating from poor cyber hygiene, never has it been more pressing to adapt good practices and invest in solutions that will improve support for remote-working environments. Beyond investing on email security tools, however, it is likewise paramount that enterprises in SE Asia focus on keeping remote-working employees informed so they can be more vigilant in differentiating phishing emails from valid email requests.

For instance, employees should be trained to refrain from clicking on links in suspicious emails, and opening or downloading attachments. As they continue working in their home offices, employees should also be well-versed in certain guidelines, including not replying to or forwarding suspicious emails, and not entering their usernames, passwords, or other personal data on websites that look suspicious. Given the economic implications of COVID-19, enterprises across the region cannot afford to face additional financial losses due to cybercrime. Having a proper cybersecurity system in place is important now more than ever, and the onus is on company leaders to ensure that employees across the organization have the necessary support and knowledge to prevent the occurrence of cybercrime during this critical period.