May 14, 2020

Cybersecurity in the Time of a Pandemic—Practicing “Safe Computing” While Working at Home

Lisa R. Lifshitz

As we hunker down in our home offices and endeavour to protect ourselves and our communities from the ravages of COVID-19, it is worth remembering that in addition to the threats posed by the virus, we are also increasingly at risk from scammers and hackers seeking to exploit existing cybersecurity gaps (and our general sense of panic) through various phishing efforts, spear phishing campaigns, and malware scams.

Preying on users’ cybersecurity weaknesses is not new. What’s different now is that many employees are novice remote workers who may not have had the time or ability to secure their at-home work environment. In our haste to obey mandatory municipal, provincial, state, and federal self-isolation or stay-at-home requirements, some companies have scrambled to provide their workers with adequate and necessary hardware, but may not have had the opportunity to carefully consider and protect against security threats, i.e. ensuring critical systems and corporate software have been fully updated and patched. Employees were not provided with supplementary security training. In some instances, the need for speed – to ensure business continuity and the ongoing ability to service clients – has resulted in poor cyber-hygiene, even as workers scramble to make do with a combination of work-provided and unvetted personal devices and vulnerable WiFi networks.

It’s also not terribly surprising that stressed employees are far more likely to fall victim to cyber criminals. Tensions are high, anxiety is elevated, and workers are trying to focus while surrounded by their equally concerned families, creating a pressure-cooked environment where bad judgment can ensue. Employees who are trying to show their companies that they are still being diligent workers can easily be misled by hackers pretending to be their boss or co-workers sending them authentic looking but fake emails from alleged ‘personal accounts’ asking them to do something, like providing critical network credentials or confidential/private information. Caught up in the moment, these emails can dupe unsuspecting employees, particularly those that are using new or unfamiliar technology, like laptops with smaller screens.

So far, much of nefarious online COVID-19 activity has involved phishing, spear phishing and the introduction of malware. “Phishing”—defined by the Canadian Centre for Cybersecurity (CCC)—as attempts by a third party to solicit confidential information from an individual, group, or organization by mimicking or spoofing, a specific, usually well-known brand, usually for financial gain- typically involves attempts to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which the tricksters may then use to commit fraudulent acts. By contrast, “spear phishing” involves the use of spoofed emails to persuade people within an organization to reveal their usernames or passwords. Unlike phishing, which involves mass mailing, spear phishing is small-scale and targeted. Hackers also use email to deliver “malware,” malicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware.

To date, there have been myriad examples of scammers trying to trick the unsuspecting public through the use of phishing, spear phishing and malware. As recently reported by the CBC on March 30, virtual private network provider Atlas VPN has determined that the number of active websites used for phishing has increased by 350 percent between January and March, just as the COVID-19 crisis erupted. Barracuda Networks, based in California, has reported a 667 percent spike in phishing emails from the end of February until late March.

Canada’s Communications Security Establishment (CSE), the parent agency of the CCC, has been kept busy identifying and taking down malicious websites spoofing Government of Canada websites (i.e., the Public Health Agency of Canada and the Canada Revenue Agency) that were spreading COVID-19 misinformation. The CSE has also reported cases of COVID-19 maps that infected devices with malware, phishing emails with malicious links and attachments, and spoofed COVID-19 websites. The CSE’s March 23rd Alert has noted several examples of these COVID-19 phishing attempts, with such tantalizing emails subjects as:

Cancel shipment due to corona virus _ New shipping schedule details

Corona is spinning out of control

Feeling helpless against Corona?

Military source exposes shocking TRUTH about Coronavirus

Corona virus is here, are you ready? (Learn how to survive)

Get your coronavirus supplies while they last

Canadians are encouraged to take some simple steps to protect themselves, not just during the COVID-19 isolation period, but at all times.

Security firm Forcepoint has recently noted that fake coronavirus spam tries to induce individuals to click on links to shady websites and fraudulent services or encourage people to buy a specific (fake) product which is supposed to help protect against COVID-19. Recently, some individuals received email supposedly from the World Health Organization (WHO) with information containing a recording that described necessary precautions against COVID-19. This email actually contained a small HTML file that directed users to a spoofed Microsoft Outlook login page, where they were prompted to log in to access the recording. Of course, hackers would then harvest the users' passwords. Another fake WHO email from Italy was a “malware dropper” designed to avoid security software by not carrying any malware itself but instead containing a simple script that ran on victims' computers for the purpose of installing other malware.

What steps can companies take to ensure that their workers are better protected from these cyber-hackers? And how can individual employees protect themselves?Some recommendations are below:

Companies should ensure that their employees use company devices (not their own!) that access company networks using secured VPNs (virtual private networks) or other secure portals. Company networks should only be accessible using multi-factor authentication. Organizations should promptly deploy all required security patches and updates to their critical enterprise software as well as implement current anti-virus or anti-malware software on computers/networks. Computers, router firmware, and web browser software should be kept up-to-date and legacy software should be replaced with currently supported versions. Consider using software that scans emails for malicious links and attachments. Companies should ensure that access to sensitive documentation is limited to those who especially require access, and all employees should receive basic cybersecurity training, reinforced through internal policies and periodic testing. Companies should advise their employees not to download confidential proprietary documents onto their personal devices and employees should be required to use sophisticated passwords (not "Password!") that are different from their home accounts. As busy as they are trying to keep the lights on, companies should periodically remind their employees about increased risks during this pandemic, including being on the lookout for not-so-obvious phishing attempts.

Individual employees should wake up and recognize that they have a personal responsibility to be especially vigilant now, given the incredible increase in coronavirus scams. As recommended by the CCC, to protect against malicious email, users should make sure the address or attachment is relevant to the content of the email. It’s critical to take the time to make sure that you actually know the sender of the email and that the email is legitimate – typos are a dead give-away that they are not. No one should open email attachments that come from sources they are unsure of.

To protect against malicious attachments, employees should ensure that the sender’s email address has a valid username and domain name, and should be extra cautious if the tone of the email seems “urgent” or is otherwise off. It doesn’t hurt to verify an unexpected email with an attachment by calling the supposed sender. Remember that so-called critical information that comes via attachments may also be scams—most legitimate emails put critical information in the main body of the message.

To protect against malicious websites, make sure that the proffered URLs are spelled correctly. It’s safer to directly type the URL in the search bar instead of clicking a provided link just to be certain. If you must click on a hyperlink, hover your mouse over the link to check if it directs to the right website and try to avoid clicking on links in email addresses that direct you to log into a website. Take the time to search and find the login page yourself using your own web browser and log in that way.

Never just “take the bait”—if you intuitively think there's a reason to question the legitimacy of a message that you receive, it’s better to simply ignore it and try to contact the sender to verify it. Do not respond to any requests for sensitive information, even if it's supposedly to update payment information with an account.

Lastly, if you make a mistake and fall for these scams, remember you are only human. However, if your errors have resulted in the unauthorized disclosure of personal information or confidential information, you (or your organization) may have triggered various mandatory data breach reporting requirements under various state and federal laws as well as other regulatory reporting requirements. It’s best to alert your company as soon as possible so it can work quickly to remediate the situation. Be careful out there and stay safe!

For more business law content, visit businesslawtoday.org.

Lisa R. Lifshitz

Partner, Torkin Manes

Lisa is a partner in Torkin Manes’ Business Law Group, specializing in the areas of information technology and business law and is the leader of the firm’s Technology, Privacy & Data Management Group and Emerging Technology Group.