According to numerous recent reports (and borne out by our own experience after the past few months), the incidences of hacking and phishing attacks on websites and workers has increased by as much a 6-fold since the onset of the global pandemic. According to the Information Security Group, hacking attempts are up 37% month on month, and there has been a 600% increase in incidences of phishing since February.
Hackers are also using interest in the virus to deliver malware to systems via false or misleading domains and content, (by directing them to sites which install malicious code on people’s devices), fuelled by a 17% increase in overall internet use reported by Cloudflare as people are urged to stay indoors and work from home.
Fortunately, the only incidences we’ve had to cope with ourselves are the more traditional tricks like injecting hidden content and subverting links in order to point them to…questionable…sites, which has always been a black-hat tactic that seems rather outdated these days, with Google being much better at detecting the relevance of links. (I guess the people who make use of that sort of “SEO” are not well informed about advances which limit their effectiveness, and the people who sell them the service are certainly not going to point out that it doesn’t actually work to get rankings.)
However, knowing that it is unlikely to help their SEO is cold comfort when all your website links suddenly point to sites selling counterfeit designer goods for example. And while we take all possible precautions that can be taken without incurring additional costs for our website clients, there are very few systems even at the highest end that are “impenetrable,” given time and motivation on the part of the attacker.
If you’re concerned about the security of your site, or have a need for increased security, then our own go-to paid solution is the Wordfence Premium plug-in, which provides a wide range of real-time features and malware signature scanning to reduce the chances of a successful attack as far as possible, at US$99 per site per year.
If you are making use of credit card facilities on your site, then we highly recommend considering it, but even for sales sites being hacked can have a negative effect on both SEO and the user experience, so it really is worth it for everybody.
Another form of hacking, so called phishing attacks are part of what’s known as social engineering, which is not a code based attack, but one targeted at the people in an organisation. This can include elaborate fake sites designed to harvest user names and passwords, or phone calls in which hackers impersonate people who can request your access details, amongst many others.
Seen by many as the easiest form of hacking due to the fact that once you have legitimate credentials, you can do whatever those access rights allow you to without difficulty, obtaining low level credentials is usually a step in obtaining higher levels of access and either causing damage, or taking over the system entirely.
It’s not possible to prevent these by any physical type of website precaution, but keep in mind the importance of educating your staff about protecting the security of their access details, and put steps in place that will make any unauthorised request stand out as an obvious fake. (Confirming requests in person, verifying the person requesting access’ identity, etc.) Not to mention the age old rule of not opening attachments or clicking on links of strange, unknown or suspicious senders.
There’s an old adage in computer circles that the only way ever to be completely secure online is never to go online. And indeed, much of the most sensitive data in the world is stored on machines or networks which have been “air-gapped.” In other words, they have no connection to the internet at all. (For what it’s worth, even air-gapped systems have been hacked, but it requires more physical measures, such as reading magnetic hard-drive fluctuations through adjoining walls to build up a duplicate of the data on it, and things like that.)
Unfortunately, that’s not an option for an on-line business, and as such, you need to reply on a combination of adequate website measures, and internal training, to make it counter-productively difficult for hackers to bother with you.