Your employee is sitting at his or her home office working on a project and notices an email in his or her inbox with the subject line: “Urgent Request” or “Please get this done ASAP.” Not wanting to miss an urgent communication from work in this age of telework, your employee immediately switches tasks to review the email.  It appears that the email has come from your company’s CFO informing the employee that because of COVID-19, a vendor is requesting to change their account information so that an invoice can be paid as soon as possible. 

Understanding that businesses are trying to keep their cash flow coming in during the pandemic, your employee wants to respond quickly to the request. But, hopefully, remembering your company’s policy of requiring additional confirmation prior to changing vendor account information, the employee calls the CFO to confirm.

By doing so, the employee determines that the email is fraudulent, and so avoids what otherwise could have caused numerous negative consequences.  Steps are then taken to immediately notify your IT department so an alert can be quickly sent to all company employees, , which at this point, many, most, or all of whom are working from home, so that everyone is made aware of this particular social engineering attack and are reminded of increasing “spear-phishing” attacks.

If this sounds familiar, then you are one of many businesses that are experiencing a recent surge in cyber-attacks because of the COVID-19 pandemic. At this time, businesses and employees must be even more vigilant to guard against online fraud and other scams. Cybercriminals are using this unprecedented surge in teleworking to launch attacks against businesses and their employees. In this article we will discuss some of the emerging threats and provide some guidance for protecting your business.

Social Engineering Threats

While social engineering attacks like the spear-phishing scenario described above have been around for a while, one of the most recent techniques used by hackers is the use of malware infected coronavirus infection rate maps. Taking advantage of the public’s desire for the most up-to-date information on the spread of COVID-19,  hackers send out an email urging the recipient to click on a link to a website or an interactive map that will allow the recipient to view a real time “heat” map that tracks infection cases across the country or even in the recipient’s own area.  The danger is that the interactive map, or the website itself, comes pre-loaded with malware that, once clicked, will download malicious software and infect the unsuspecting recipient’s computer. Once this has occurred, hackers can use the information obtained from the recipient’s computer, such as passwords and login information, to try and infect business networks.

Another method of attack is the use of fake domain registrations.  Hackers are registering domain names utilizing commonly searched words such as “pandemic” or “coronavirus” or COVID-19″ that purportedly offer the latest information on the pandemic or an easy way to obtain federal relief checks instantly (for example, “Click here to obtain your federal relief check instantly”).  When users click on the website (or respond to the email) to obtain the latest information about the COVID-19 pandemic or obtain whatever service is being offered, users are prompted to “register” and enter their email address, password, or other personal information, which is harvested by the hackers for later use.  Since many people use the same or similar passwords across various accounts, hackers can use the same or similar passwords to attempt to break into users’ personal or business accounts.

Some Steps Businesses Can Take to Protect Themselves

  1. Businesses should take this opportunity to review and update their information security policies, data breach response plans, and business continuity/disaster recovery plans, and remind employees of contents of those policies. Ensure that your company’s policies have been updated to address teleworking and employees’ use of personal devices at home. This includes ensuring that the communication plan for reporting a data breach has been updated and employees know who to contact in the event they believe they are responsible for a data breach or have fallen victim to a social engineering attack.  Additionally, businesses should make sure their plans address employee behavior while teleworking such as:
    1. Ensuring personal email accounts are not used for company business;
    2. Ensuring that company business information is not stored on personal computers or personal cloud accounts;
    3. Prohibiting the use of social media accounts to conduct company business
    4. Appropriate use of video conference platforms and maintaining confidentiality of internal business discussions;
    5. Prohibiting the use of unsecured connections to access business accounts and the use of unsecured wireless networks and requiring the use of Virtual Private Networks (VPN);
    6. Requiring employees to ensure their home networks are secure (use of encryption such as WPA2) as well as personal devices if they are using those devices to engage in company business;
    7. Prohibiting the use of work issued computers to conduct personal business or surfing the internet;
    8. Requiring approvals outside of email communication, such as by telephone, before account or invoice information is changed or wire transfers are conducted;
    9. Use of strong passwords, or better yet, requiring the use of multi-factor authentication company-wide; and
    10. Safeguarding company property such as laptops, tablets, and cell phones, particularly in public areas.
  2. Remind employees of the latest attacks, particularly spear-phishing attacks, and consider setting up refresher training on teleworking policies, how to detect social engineering attacks, and the procedures for reporting and responding to these types of attacks.
  3. Ensure that your business has installed the latest security patches to protect against vulnerabilities to company systems. As businesses’ IT departments scramble to support the massive increase in employee teleworking, IT departments are multi-tasking to maintain connectivity and increase capacity but may not be as focused on security. IT departments may be focusing less on keeping software and hardware patches updated than maintaining reliable, stable connections for communications.

Remember, scammers will take advantage of any opportunity to steal from your business, so it is important that both businesses and employees stay vigilant together and practice good cyber hygiene.