As announcements relaying the spread of Coronavirus (COVID-19) continue daily, governmental agencies at all levels are offering information and guidance, and businesses are scrambling to prepare and protect their employees and customers. As part of a larger group in my firm helping to synthesize all this information, there is an aspect of responding to COVID-19 that has not gotten much attention – emerging phishing attacks by informed hackers trying to capitalize on fears employees have about the COVID-19 crisis and what their employers are doing to respond.
We have posted several times about the different techniques hackers use to trick unsuspecting, distracted, or nervous employees into falling victim to a phishing attack. A good example, also particularly relevant now, is IRS Form W-2 cyber scams designed to get workers to email other employees’ Forms W-2. The IRS has issued numerous warnings about these scams and guidance for addressing them. And, the World Health Organization has issued a similar warning relating to COVID-19.
At the moment, organizations around the world are communicating with their workforces about coronavirus in areas such as (i) updated travel policies, (ii) work at home requirements, and (iii) cleaning best practices. Businesses also might be adjusting or changing plans for conferences and other business initiatives in response to the reported spread of COVID-19. Hackers do their research and see the opportunity. Through social engineering, they can target employees who in the current environment might be more likely to respond to an executive’s email seeking action on a coronavirus-related topic.
As with Form W-2 and other scams, employees may, for example, receive fake emails purporting to be information from management about coronavirus. The hacker might assume an executive’s identity and apparent e-mail address for the purpose of sending what appears to be a legitimate request to address a critical business need surrounding the virus’ outbreak. Unsuspecting and nervous employees might be more likely to respond, allowing attackers into the organization’s information systems.
While an organization can use firewalls, web filters, malware scans or other security software to hinder spear phishing, experts agree the best defense is employee awareness. So, it is a good idea to remind employees about this threat, along with guidance for avoiding these attacks.
In the event your business is a victim of such an attack, it needs to be prepared to respond. This may require steps such as (i) investigating the nature and scope of the attack, (ii) ensuring that the attackers are not still present in its systems, (iii) determining whether notification is required under applicable state law to individuals and state agencies, and (iv) helping employees whose personal information may have been compromised.