HAMBURG: Working from home might sound more safe and sheltered than working from an office, but in terms of your digital presence, you and your employer are often at a greater risk, experts say. Here's what you need to be ready for.

It arrives as a harmless-looking email with an address from your company. Perhaps it's a request for you to sign up to a new company service.

But it's actually an email sent by cyber criminals trying to break into a employer's internal network.

Such attacks are called "phishing" – the combination of "password" and "fishing" which, as it sounds, is an attempt to capture someone's password.

"This is about attempts made to lure users to log onto fraudulent sites with doctored reports, mails or SMS," says IT experts Andy Voss.

Phishing attacks are not always easy to spot, even for experienced users and professionals. Now, more often, the targets are company employees working from home.

"Remote workers are a top victim because they're easier," says Ronald Eikenberg, a computer technology reporter. "While a company's administrator can still exert a certain amount of control over the central computer, this often is not the case for remote workers."

A company is especially vulnerable if employees at home use the same computer for both work and private use.

An entire firm paralysed

"If an employee is infiltrated by a trojan at home, it can run wild through the company network via the VPN connection," Eikenberg warns. "In the worst case, one wrong click can paralyse the entire company."

That's why cybersecurity experts are warning people not to use their own private computers for home office work. "It is better to use company equipment where access rights are restricted and the installation of software is only approved by the administrators," says Simran Mann, an IT security expert at German IT association Bitkom. This additionally ensures that the necessary security updates will in fact be downloaded.

If the your computer at home has become infected, you may not notice immediately. One aim of the attacker is to remain undiscovered for as long as possible, Eikenberg points out.

Alarm bells should be ringing if you notice your computer is suddenly much slower or using a huge amount of processing power. The same goes if software appears that you don't remember installing or if you end up on unexpected websites.

The target of the attack: A human being

Amid all the technical possibilities, in the end it is most often the human who is the target of a cyber attack, and not the computer.

"Phishing is a form of social engineering, meaning an attack on the human as the vulnerable point. It's sensible to deploy protection measures, but they cannot prevent such attacks," Eikenberg says.

All the same, the rule still applies – only ever use a computer when the software is up-to-date and when your antivirus is active. Microsoft's Defender, integrated in Windows 10 and 11, is adequate in many cases, Eikenberg says. For cyber criminals, the main entry for an attack remains email.

"But there have been, and are, attacks in which employees are tricked into plugging in a USB storage which automatically installs damaging software," says Mann. The effort needed to achieve this is of course much greater, however.

In the past, email attacks were relatively easy to detect, for example if the mail was written in broken English. But this has changed, and mistakes have become rarer, Mann warns. "In some cases these mails are very professionally and thoroughly researched, all the way down to the email signatures of the purported sender."

Attacks also carried out on the telephone

And, as before, criminals continue to use the telephone to try to get entry to a person's computer. This is called "vishing" – "voice and fishing". The classic case is the telephone call by someone claiming to be an employee of the Microsoft Support team.

Even today, years after this scam emerged, hackers still succeed in persuading people to download software for the purpose of remote maintenance of their PC. Once this happens, the criminals have complete control of the computer and access to all the data in it.

Andy Voss advises just one thing: Hang up the phone. Neither Microsoft nor any other reputable company will ever place an unrequested call or send emails seeking the user's personal data. The best protection against cyber attacks and social engineering remains a healthy portion of scepticism and common sense.

"Those who actively inform themselves about the tricks of the attackers will naturally recognise them more easily," Voss says. By no means should you just open the attachment of an unknown email sender out of curiosity.

The problem is that cybercriminals have it comparatively easy with employees working from home because communications are almost exclusively digital. Eikenberg points out that for remote work, "the personal face-to-face exchange doesn't take place. So the probability is much much higher that you fall for a doctored email that looks like it's from a company boss or administrator."

Remember, before you click on any email links, if your gut instinct is telling you something is strange, then get on the phone to ask someone. – dpa