As originally published in Compliance Week, March 17, 2020
Don’t Let Coronavirus Fears Leave You Vulnerable to Hacking Schemes
As more companies around the world require, or highly recommend, that their employees work remotely to prevent the further spread of the novel coronavirus, hackers who thrive off fear see this as an opportune time to carry out a cyber-attack. In this time of fear and uncertainty, it’s more critical than ever to practice good security hygiene (just think of it as the technical version of proper handwashing).
“This is a moment that a lot of hackers across the world have been preparing for,” says Brian Finch, a partner at law firm Pillsbury who co-leads the firm’s coronavirus response team. “This is an opportunity to conduct pretty robust cyber-espionage, if not cyber-hostage taking. We are already seeing a spike in cyber-attacks, including on remote connection services.”
Coronavirus-related schemes have been occurring with such frequency, in fact, that in the United States the Department of Justice has made them an enforcement priority. “The pandemic is dangerous enough without wrongdoers seeking to profit from public panic, and this sort of conduct cannot be tolerated,” Attorney General William Barr wrote in a March 16 internal memo to all U.S. attorneys’ general. “Every U.S. Attorney’s office is, thus, hereby directed to prioritize the detection, investigation, and prosecution of all criminal conduct related to the current pandemic.”
Hackers prey on fear, so a common hacking scheme works like this: “Using simple phishing techniques, bad actors are targeting individuals with e-mails that appear to come from an official source. The emails purport to share helpful information about the virus and encourage readers to open an attachment, which then downloads malware to infect their computer and gather personal information,” explains Jake Olcott, vice president of government affairs at BitSight.
In his memo, Barr cited reports of “individuals and businesses selling fake cures for COVID-19 online” as one example of a fraudulent scheme going around (the Federal Trade Commission is similarly cracking down in this area). He also cited reports of phishing emails from attackers impersonating government healthcare authorities, like the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC). In February, WHO itself warned of criminals disguising themselves as WHO officials to steal money or sensitive information.
On March 16, the U.K. National Cyber Security Center (NCSC) announced that it’s urging companies to follow its online guidance, including how to spot phishing emails and how to mitigate malware attacks. “We know that cyber criminals are opportunistic and will look to exploit people’s fears, and this has undoubtedly been the case with the coronavirus outbreak,” said NCSC Director of Operations Paul Chichester. “In the event that someone does fall victim to a phishing attempt, they should look to report this to Action Fraud as soon as possible.”
Across all industries, it is critical that companies and employees review security practices, controls, and protocols to reduce the risk of opportunistic cyber-threats amid the coronavirus. Here are some tips:
1. Verify the authenticity of communication by healthcare authorities. Phishing attacks can come from a myriad of communication platforms—emails, text messages, phone calls. “Be wary of any form of communication that requires you to click on a link, download an attachment, or ask for any kind of personal information,” says Heinan Landa, CEO and founder of Optimal Networks, an IT services firm. Upon receiving communication from a person or organization purporting to be from a government health authority, verify its authenticity before responding.
2. Watch for red flags. “Look for spelling errors and bad grammar and beware of anything asking you to download content or provide sensitive information to receive information/tips on how to protect yourself from coronavirus,” Landa says. “Even if you are led to what looks like an official webpage after clicking on a hyperlink in an e-mail, if a pop-up message comes up asking you for any kind of information, do not provide it.”
Read the full feature here!