The COVID-19 pandemic has led online scammers to launch new, and too often successful, ways to hack into computers and steal people’s information and money. The vast increase in people working remotely has compounded the risks of data breaches through technological vulnerabilities and human error. Scammers are focusing on social engineering and any schemes they can come up with that will make people open attachments, download apps, or enter their confidential information.
As experts have reported significant increases in the frequency of cyber attacks of all kinds, now is a good time for businesses to take stock of their defenses against such unauthorized intrusions, which include:
• Emails from “spoofed” email addresses that look like legitimate company addresses and try to fool workers to send or wire money to an account or provide confidential company information.
• Emails that try to fool workers into clicking on links to malware that infects computers or to trick people into entering their usernames and passwords for their email or computer systems, such as:
- Emails targeting people working from home that purport to be from their work and contain a link to a website (work-related website or DropBox, etc.) and prompt the user to log in remotely, then exports the login credentials to the scammer.
- Emails purportedly from the World Health Organization claiming to contain attachments with important health information.
- Emails purportedly from the government and asking for credentials so the person can receive a stimulus check.
- Emails offering COVID-19 testing that include a link that supposedly goes to a map of nearby test centers.
- Emails disguised as coming from an electronic signature company (DocuSign, etc.) indicating they have a document that requires their signature and encouraging recipients to open a link or a file containing the important document. However, the file is not a document at all—it’s malware that immediately infects computers and could potentially spread to an entire network.•
• Efforts to hack into videoconferences, such as those conducted on apps such as Zoom or Bluejeans.
It is of course prudent for every business to take measures to prevent data breaches at all times, but the increased vulnerabilities brought on by the COVID-19 pandemic make it especially important. Not only do businesses want to stop cyber criminals from stealing their own important data and confidential information or holding it for ransom, but they have ever-expanding legal obligations to take reasonable measures to protect the privacy of other people’s data and information that they possess.
Per the American Bar Association’s ABA Cybersecurity Handbook, the emerging legal standard requires all businesses to engage in a process to “assess risks, identify and implement appropriate security measures responsive to those risks, verify that the measures are effectively implemented, and ensure that they are continually updated in response to new developments.” Furthermore, recent court decisions indicate a potential trend toward imposing upon corporate directors an obligation to monitor management’s compliance with a business’s cybersecurity and data privacy obligations.
The cyber threats emerging from the COVID-19 crisis should be a motivation for all businesses to engage in a deliberate process to determine if any changes in their approach to cybersecurity are warranted by the increased threats, or at least to remind their management and workforce of the best practices to minimize their cyber and legal risks. No matter where a business stands in its cybersecurity program, there are a few, relatively inexpensive things that it can do at this juncture.
• Alert its workforce to the nature of COVID-19-related email scams.
• Advise all videoconference app users to activate and use the app’s security features.
• Implement or reiterate effective company policies concerning passwords; the identity, handling and disposal of confidential information and information security, including hard copy documents and electronically stored information and data; and those policies requiring verification of wire transfer requests.
• Give serious consideration to implementing multi-factor authentication for logins to company network systems.
• Follow the detailed advice available on the website of the Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security.
Implementing the above protocol may minimize the risk of a breach and subsequent legal repercussions – especially for companies that have transitioned employees to home-working environments, away from the watchful eye of IT. While these steps provide best practices to mitigate the most common threats that businesses currently face, it is crucial for organizations of all sizes to understand the dynamic nature and growing sophistication of cyber attacks. Cyber criminals will continue to thrive on the disarray generated by the COVID-19 crisis, making defensive measures all the more pertinent for companies to avoid preventable costs and interruptions at an unprecedented time.