As economic activity has slowed globally due to the COVID-19 pandemic, cyber fraud cases have surged. In the workplace, this often comes in the form of COVID-19 phishing scams. Phishing scams are typically carried out through email spoofing, where a hacker assumes a trustworthy identity to entice an individual to provide them with personal or confidential business information, such as passwords or financial data.
At the moment, organisations across the globe are communicating with their workforces about coronavirus in areas such as (i) updated travel policies, (ii) work at home requirements, (iii) cleaning best practices and (iv) returning to the workplace. Businesses may also be adjusting or changing plans for conferences and other company initiatives in response to the reported spread of COVID-19. Hackers do their research and they see when an opportunity presents itself. Through social engineering, hackers can target employees who, in the current environment, could be more likely to respond to an apparent executive’s email seeking action on a coronavirus-related topic.
Employees may, for example, receive fake emails purporting to be information from their own management about coronavirus. The hacker might assume an executive’s identity, by using a similar e-mail address, for the purpose of sending what appears to be a legitimate request to address a critical business need stemming from the coronavirus outbreak. Other hackers may pose as the U.S. Center for Disease Control and Prevention (CDC) or the World Health Organisation (WHO). Unsuspecting and concerned employees might be more likely to respond, allowing hackers into the organisation’s information systems.
COVID-19 phishing scams in the workplace are impacting organisations worldwide. The UK and US recently issued a joint cybersecurity alert concerning the explosion of phishing attacks. The European Union Agency for Law Enforcement Cooperation (Europol) also issued an alert on phishing and smishing (SMS text phishing) scams with basic guidance on how to spot such attacks, and how to respond if an attack occurs. The Hong Kong Police and the Australian Cyber Security Centre have also reported a significant increase in COVID-19 related phishing incidents since the onset of the pandemic.
While an organisation can use firewalls, web filters, malware scans or other security software to hinder phishing scams, experts agree that the best defense is employee awareness. Therefore, now is the time to remind employees about this threat, along with guidance for avoiding these attacks.
In the event an organisation or its employees is a target of such an attack, it needs to be prepared to respond. This may include steps such as (i) investigating the nature and scope of the attack, (ii) ensuring that the attackers are not still present in the systems, (iii) providing employees with guidance on internally reporting an attack, (iv) determining whether notification is required under applicable local law to individuals and government agencies and (v) helping employees whose personal information may have been compromised.
Jackson Lewis attorneys are available to assist you with these and other workplace issues. For more information, please contact John Sander (Principal) of Jackson Lewis at firstname.lastname@example.org or visit www.jacksonlewis.com.
For more information please contact Joseph Granato, Communications Manager at L&E Global at email@example.com.