The Washington PostDemocracy Dies in Darkness

Don’t be that employee: How to avoid ransomware attacks at work

Tips to avoid clicking something bad — and what might happen if you do

July 8, 2021 at 1:33 p.m. EDT
Not all ransomware attacks hinge on security mistakes by employees, but some do. (iStock) (The Washington Post; iStock)
6 min

When a security vulnerability at IT software-maker Kaseya led to a ransomware attack that affected 800 to 1,500 businesses, it wasn’t one employee’s fault.

But that’s not always the case.

Ransomware, which locks down a target’s computers and data, can infect a network a few different ways, including through employee accounts. Click the wrong link, open the wrong attachment or log into the wrong website, and you could put your company in a perilous position.

Depending on their roles, some employees find their inboxes flooded with hundreds of phishing emails designed to steal the recipient’s credentials, says Ryan Kalember, executive vice president of cybersecurity strategy at security firm Proofpoint. That requires constant attention, especially as ransomware attacks become more frequent and their demands more intense. The average ransomware payment has nearly tripled so far in 2021 compared to last year, with targets doling out about $850,000, according to a report by Palo Alto Networks.

“If you have a word like ‘accounts’ in your title, you will be attacked more,” Kalember says.

And that doesn’t mean others should let their guards down. Plenty of firms don’t have the resources to invest in frequent training, software upgrades and security systems — so employees become the first line of defense.

Luckily, conning people is an ancient art, and ransomware groups aren’t breaking new ground. Phishing emails aim for an emotional reaction, says Palo Alto Networks Deputy Director of Threat Intelligence Jen Miller-Osborn. These messages pull busy employees in with promises of money, important company secrets and even cute animals pictures.

Keep an eye out for these phishing red flags to avoid ransomware and cover your behind.

Ransomware attack struck between 800 and 1,500 businesses, says company at center of hack

Tempting clicks

Often, bad actors trick employees by using websites, URLs and email addresses that are just a letter or two off from their legitimate counterparts. For example, BigBossCEO@Company.com becomes B1gB0ssCEO@Company.com. If an email looks suspicious, hunting for alternate spellings is a good first line of defense.

If an email arrives promising a bonus you didn’t know you were receiving, you probably aren’t receiving it. Hackers use whatever is most likely to get clicks, so get familiar with some classic phishing lures, like an “accidental” email from HR with an attachment titled “Companywide salaries.” Fake Amazon gift cards and DocuSign links are also popular, says Peter Quach, director of client relations at security firm Polito.

Excitement compels people to click, but so does anxiety. Palo Alto Networks’ Miller-Osborn has seen plenty of pandemic-related phishing emails encouraging people to sign up for limited vaccine appointments. “Your Amazon package has been delayed” is another favorite.

Hackers also prey on people’s tendency to defer to authority. Fake emails from CEOs or senior executives asking for account credentials — or wire transfers — are a common tactic.

“ ‘This is an emergency. I need you to send it. But you can’t tell anybody because it’s a very secret project, and I only trust you.’ Using the typical con tactics to make you feel like, ‘Okay, I’m in on something really special,’ ” says Allan Liska, a senior threat analyst at cybersecurity firm Recorded Future.

Be aware of social media, file-sharing tools and email marketing

LinkedIn, Microsoft Office 365, Google’s G-Suite and Dropbox have all been home to messages containing ransomware. Proofpoint’s research found a spike in malicious messages sent or hosted by Google in the first quarter of 2021, compared to 2020. Google says it’s working on technology to better filter outbound phishing messages from Gmail accounts and people could see improvements during the next year. For comparison, Google says it successfully filters 99.9 percent of inbound phishing messages to Gmail accounts.

Phishing attempts also may disguise themselves among the mountains of emails brands send to people on their marketing lists. Like real email promotions, the subject lines are often tied to current events, Liska says. So, if you get an email from what looks to be Coca-Cola promising you a free beverage to celebrate the upcoming Olympics, look out for funky links and attachments.

Written messages aren’t the only way to compromise a network. Cybercriminals might also just pick up the phone, pose as a colleague and ask you for account information. Always authenticate requests through another channel, or check with IT.

How to protect yourself from the global ransomware attack

What if you’ve already opened a phishing link or attachment?

You might feel tempted to pretend like nothing happened and hope no one notices. But don’t do that.

“That is often the first reaction, and it is not ideal,” Kalember says. “When you fall for something, the attacker still has some window of time where they have to figure out what they’ve just got and whether it’s even worth taking advantage of.”

That gap — or dwell time, in industry lingo — is incredibly valuable for your company’s IT team. If you report what happened right away, odds are you’re in line with your company’s security policies and have little to worry about. Phishing emails are common, and it’s tough to expect employees to get it right 100 percent of the time.

But if you brush the incident under the rug, it could come back to haunt you. When ransomware attackers use phishing to access company networks, they do so through a compromised employee account. By reporting your encounter with a phishing email, you distance yourself from any subsequent malicious activity coming from your accounts.

As far as repercussions for clicking on malicious links and attachments — and potentially opening up the company to ransomware — things get stickier. If the company hasn’t taken steps to train employees and protect its network, it’s tough to pin an attack on any one employee, Quach says. When that kind of scapegoating does happen, it’s usually reserved for high-level executives or IT professionals.

But employees being fired for bad security practices — or one-off mistakes — isn’t unheard of. An employee of Glasgow-based Peebles Media Group was terminated and sued by the company after falling for a phishing email and sending more than $250,000 to cybercriminals, BBC reported.

Fortunately, that’s rare. Companies want to incentivize employees to report malicious emails and security mistakes, and if there are any consequences, it might look more like attending extra training or losing administrative privileges on your device. (Although Kalember spoke of one particularly click-happy employee being reassigned to a role with limited access to company data and finances.)

Keep a copy of your IT team’s email address somewhere easy to find, and contact the team if something seems fishy. Don’t delete the email you clicked on, and don’t unplug your computer or turn off WiFi.

Five myths about ransomware

Wait — why is this my problem?

Great question. It probably shouldn’t be.

As ransomware attacks become a bigger global threat, it’s up to companies to protect employees from the burden of filtering out bad emails, Kalember says. And, broadly, that’s not happening.

Here’s how employers can help individuals guard against phishing and ransomware:

Train employees to spot phishing attempts

Employees need frequent training to keep up with the evolving format and content of phishing emails. One study from a few German universities found employees’ ability to identify phishing attempts drops just six months after their initial training, and that video and interactive training courses are most effective.

Authenticate your corporate email domain.

This blocks the delivery of messages from fraudsters pretending to be a member of your organization. Check with your email service provider, like Microsoft Outlook or Google, to get started. You should also attach warnings to emails coming from external senders or containing links or attachments — both Outlook and Gmail offer this feature.

Clarify what employees should do if they click a suspicious link or attachment.

If people are afraid to report or don’t know how, they probably won’t do it. Make sure reporting procedures are outlined in your company’s security policy. Kalember recommended automated reporting, which lets employees report malicious email with the click of a button.

Leave room for human error.

Somebody is always going to open the phishing email promising adorable kitten pictures. So consider hedging your bets with anti-phishing technology like remote browsers, in which URLs open not in a traditional browser, but in a special environment in the cloud that disappears as soon as you’re done with it. That way, no matter what the URL contains, it can’t compromise the employee.

Conduct ongoing security testing.

Attackers use malicious files and compromised business email accounts to install ransomware on company computers and networks, but software vulnerabilities are another way in. Your company’s IT team — or a third party — should be actively looking for threats on your network.