In our previous COVID-19 bulletin, we discussed the importance of companies maintaining information system and data security while allowing employees to work remotely. Over the last week, as people scramble to identify trustworthy information about the spread of COVID-19, how they can protect themselves, and how they can get tested, spammers and scammers have taken advantage of vulnerable telecommuters. For example, in just the past week, media outlets have reported on the following scams:
- Email Phishing. According to a Kaspersky study and the FTC, email phishing schemes include the use of organizations’ names that would normally seem legitimate. Such emails appear to be coming from representatives of the Centers for Disease Control and Prevention (CDC) or the World Health Organization (WHO). The emails have the CDC or WHO logos and headings or have email addresses that, in a quick glance, look to be official (such as cdc-gov.org). The links in these emails may infect the user’s device with malware or even ask them to enter in an email and password for their Microsoft Outlook account.
- Domains and Apps. There are website domains that appear to keep track of COVID-19 updates and health information. Instead, these domains prompt users to download apps to access this information. In particular, there is an Android App that, once downloaded, infects the device with ransomware and demands payment or else the data on the device will be erased. Additionally, there is an interactive infections and deaths map circulating that is being used to spread password-stealing malware.
- Goods Delivery. While goods and supplies, such as cleaning and household supplies, are running out at local stores, there are online sellers purporting to have these items in stock. Instead, they are scams that take your payment and never deliver your ordered items. Employers, or employees in charge of supplies, should be cautious of online retailers and conduct additional research into the seller to verify legitimacy.
- Fake Charities. As with any major event or crisis, there are scammers trying to take advantage of people’s good intentions. This can take form in fake charities or fake donation pages. The fake charity can be a completely made up organization or one that closely resembles names of established charities.
Providing vigilant information security practices for workers both onsite and off is more important than ever to guard against bad actors eager to exploit a global crisis. Companies of all shapes and sizes should incorporate the following into their information security policies and practices:
- Employees should have secure home networks. Open Wi-Fi networks at home continue to expose companies to risk. Open networks allow anyone to connect to the network and potentially access the employee’s devices, including company-owned hardware that contains sensitive information. As the FTC recommends, employees need to make sure their router has WPA2 or WPA3 encryption enabled.
- Employees must secure laptops and sensitive files. While moving equipment and files from the office to the home, employees must make sure their laptop and files remain safe. It can be easy to lose a file or forget to lock the computer while moving out of the office or just sitting at home. If possible, sensitive files should remain on the secure company-owned laptop. Hard drives and thumb drives should be avoided due to the ease in which they can be lost or contain malware. If your company must use thumb drives, then encryption must be available and used.To provide some perspective on the importance of such encryption, simply encrypting a drive may remove any duty to report the loss of that drive as a “breach” under most state laws. That is no small thing! Considering the shifting priorities of companies in this challenging economic environment, dealing with a breach is surely not in the budget and may mean the end of a business.
- Employee laptops and devices should be updated regularly. Updates are important to correct vulnerabilities in the software. These updates may run automatically or manually, and employees should take steps to make sure their devices are up to date.
Finally, as we discussed in our previous bulletin, there is inevitably a feeling to move fast. Indeed, these feelings and tendencies are being exploited as described above. Be sure that your organization slows down to understand the benefits, risks, and impact of any information security policy. Being aware of the threats is a good first step. As we often say, you do not have to outrun the bear, just the next business that is might be less aware than you.