Cybercriminals love a crisis and COVID-19 is no different. In the last several weeks, cyber-crime has increased exponentially as hackers seek to take advantage of the migration to a remote workplace. As cybercriminals seek to capitalize, businesses need to be on high alert for fraud, now turbocharged by the disruption and unusual circumstances in which many are working. Scams focusing on treatments and cures for the novel coronavirus are rampant. Thousands of fraudulent coronavirus-themed websites are sprouting up per day. And Zoom, having skyrocketed in popularity these past weeks, has experienced such a surge in videoconference hijacking that it has its own name – “Zoom-bombing” – and is the subject of a recent FBI alert.
Indeed, the increased focus on online communications has brought a substantial uptick in breaches, with the most ubiquitous being the “business email interruption” scam. The most popular variant is where Office 365 or Gmail accounts are hacked through a phishing email, and the hacker then sends a fraudulent invoice purporting to be from a legitimate vendor, with changed wiring instructions so that the money is diverted to the hacker’s account and not to the legitimate recipient. With so many people working remotely, this type of fraud is more likely to succeed. While the risks are real, there are practical steps that companies can take today to reduce risk.
Be Extra Vigilant about Phishing Emails
Tell employees that phishing attempts are up exponentially and special care is needed as hackers try to take advantage of a disrupted workplace. Cybercriminals will play to emotions. If it seems too good to be true, it is. If it is not a sender with whom they would normally interact, or a platform on which that person has communicated in the past, be on high alert. Be especially wary of COVID-19-related links or emails (touting N95 masks for sale or testing kits). The CEO of the company is not likely to reach out on WhatsApp or LinkedIn if he or she has never done so before. Unless 100% certain that a sender or link is legitimate, do not click! Even in normal times, payment instructions are unlikely to change, and employees should be highly suspicious of any attempted change. Consider providing gift cards, a special shout-out or other rewards to those who report phishing emails to information security personnel.
Have an Alternative Way for Senior Leadership to Communicate
It is important to set up an alternative means of communication, especially among senior leadership, in the event of a hack that brings down the systems. A regular text may not be secure. If a hacker has access to the company systems, it is a short hop for them to be able to intercept texts from senior managements’ cell phones. Consider setting up a secure texting app, such as Signal, among senior leadership so that a secure line of communication is ready to go among key stakeholders even if normal email is disrupted.
Enable Multi-Factor Authentication
To help thwart Office 365 attacks, enable multi-factor authentication (MFA) on all accounts that are used by the company. Be wary of board members using Gmail or employees forwarding company email to their own Gmail accounts for ease of use while home. Enabling MFA will stop all but the most sophisticated threat actors. If there is any question about the validity of an email, contact the sender via telephone – at the number they have in contacts, not the number on the email in questions – and certainly do so before wiring any money or following changed payment instructions.
Practice Good Cyber Hygiene
Remind employees to ensure that their home network is up to date on anti-virus protection, to use MFA on all accounts for which it is available, and to follow company guidelines on internet use from personal devices. Employees work should occur only on secure, password-protected internet connections and remote employees should avoid accessing any confidential company information from a public or insecure WiFi network. Hackers try to mimic the name of a secure network, so look closely and verify to make sure the network is legitimate before joining.
Confidential Information Is Still Confidential
Confidential company information must be handled at home with the same care or more as it is in the office. This means paying attention to printing and shredding, and who has access to work computers or other work materials at home (roommates, friends, and family members). Computers should be password-protected and other work materials safely stored away when not in use.
Password-Protect Your Videoconferences
“Zoom-bombing” has become so rampant that the FBI is reporting and tracking the incidents. Recent cases involve unwanted guests shouting profanity and displaying other inappropriate content. To protect your videoconferences, make sure to require a meeting password, share the link and password only with authorized guests (do not post publicly) and lock the meeting after it begins.
Goodwin’s Chambers and Legal 500 ranked Privacy & Cybersecurity practice offers a multi-disciplinary approach to clients’ data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe.
David S. Kantrowitz, Counsel, Privacy + Cybersecurity
Please visit Goodwin’s Coronavirus Knowledge Center, where firm lawyers from across the globe are issuing new guidance and insights to help clients fully understand and assess the ramifications of COVID-19 and navigate the potential effects of the outbreak on their businesses.