Defending Against Phishing and Other Rising Cybersecurity Threats as Attackers Exploit Coronavirus Vulnerabilities

24 March 2020 Blog
Authors: Aaron K. Tantleff Jennifer L. Urban Chloe B. Talbert
Published To: Coronavirus Resource Center:Back to Business Privacy, Cybersecurity & Technology Law Perspectives

As the coronavirus (also known as COVID-19) continues to impact all organizations globally and create uncertainty, cyber criminals are looking to exploit these vulnerabilities and fears and pose heightened cybersecurity threats for organizations and individuals alike. Phishing and other social-engineering campaigns are popular scams, especially in times of crisis, when the desire for information and resources is especially high. In fact, we are seeing a record spike (in some cases more than 5,000 registrations in a single day) in the registering of domain names that include “COVID” and “coronavirus.” These scams may use the coronavirus as bait to induce targets to interact with malicious links, attachments or applications, divulge sensitive or confidential information, or donate to fraudulent charities. While these attacks target individuals, employees and other end users create risks to organizations, as human error continues to be a substantial cause of security incidents. These risks are amplified by the increase in remote working as the global response to COVID-19 requires individuals to stay home and practice “social distancing.”

Given the rapid work from home (WFH) deployment, many organizations did not have time to properly harden or even prepare their environment for such a large remote workforce and cyber criminals know this. They are taking advantage of those inadequate or naive security postures and have been quickly ramping up to prey on individuals, devices, and networks. Whether it's using the work computer for personal reasons or using one’s personal computer to connect to the organization’s network, the rapid WFH deployment is exposing networks to new risks, and in many cases, without adequate time to properly address such risks. For example, many organizations require the use of company owned and provisioned devices in order to work remotely and did not have enough devices to hand out to its newly remote work force. Even if organizations had enough devices, many were not able to set them all up in time. Other organizations realized that they could be stuck with thousands of machines once the pandemic is over. Regardless of the reason, thousands of organizations allowed, for the first time, their workforce to use their own personal computing devices to connect to the corporate environment, remotely. And many found out they were ill prepared, evidenced by a spike in attacks.

We are also seeing organizations creating vulnerabilities in their environment where they did not exist before. For example, an organization that required all users to have multi-factor authentication in order to log in remotely, did not have enough licenses to roll it out for all employees who are now remote. While another organization had an unlimited enterprise license, they were not permitted to install it on non-company owned devices. In both cases, and many others, the organization, in the frenzy of trying to enable its work force to be remote and stay connected, elected to forgo those protections. As we have seen, vendors have generally been understanding and willing to work with their customers to very quickly resolve these types of issues. 

The cyber criminals are playing off of individuals’ fear, thirst for knowledge, and anxiety. For example, these cyber criminals are sending out legitimate coronavirus related updates that are laced with, framed in or link to malware. Users click on the links to what’s otherwise legitimate information and end up installing malware on their machine, as well as the corporate network. Other phishing scams include the get rich quick themes about investing in stocks of companies who have “cures” for COVID-19. Other scams include links and offers to purchase hand sanitizer and toilet paper, but after paying for the vapor products and the compromise of their credit card, the only thing delivered is malware to the buyer’s machine. 

In light of the rapidly increasing remote workforce and influx of cyber criminals attempting to capitalize on the coronavirus, organizations should take precautions to defend against new cyber threats and mitigate risk.

Phishing and Cybersecurity Precautions

Continue to Follow Best Practices

These are uncertain times, and will continue to be as the COVID-19 crisis continues to evolve. However, organizations should try to maintain best practices and continue to follow their security policies and practices to keep defenses up and encourage employees and end users to do the same. 

Identify and Respond to Vulnerabilities

This includes looking at what protections are in place for company owned and provisioned devices and pushing similar protections out to the remote work force. This may require increasing the number of end user licenses the company has, as well as ensuring it can be used on a personally owned device.

Adapt to Remote Working

Click here for more guidance on navigating remote working and the security issues it presents. 

Increase End User Security Awareness

While technological precautions are necessary, they may not be sufficient to protect organizations from cyberattacks. Especially considering the increase in remote working, which may be unfamiliar to many employees and other end users across industries, additional awareness training is crucial to prevent security compromises from targeted cyberattacks. 

End User Precautions

End users should be reminded to take the following precautions:

  • Do not click on links in unsolicited emails, social media messages or electronic communications and be wary of email attachments, especially those proclaiming to be related to or about COVID-19. 
  • Only interact with trusted sources, like legitimate, government or organizational websites, when seeking current, factual information about COVID-19.
  • Never reveal confidential or proprietary information or data, whether personal or organizational, in email, over social media, or by any other electronic communication.
  • Never respond to, but always report, any solicitations for such confidential or proprietary information or data. 
  • Report any suspicious emails, social media, or other electronic communications. 
  • Verify the authenticity of a charity or other cause before making a donation or pledging any other kind of support.

Support End Users and Set the Example

Organizations should lead by example when it comes to cybersecurity and provide employees and other end users the support they need to help organizations prevent security compromises. Organizations should: 

  • Do their best to keep end users informed and be sure to reference or provide only trusted, legitimate sources and current, factual information; and
  • Institute policies and practices allowing and encouraging end users to report suspicious communications and other potentially malicious activity.

In summary, it is important for organizations to take additional steps now when it comes to cybersecurity in order to mitigate their risk of suffering negative impacts from the coronavirus. For more information about recommended steps, please contact your Foley relationship partner. For additional web-based resources available to assist you in monitoring the spread of the coronavirus on a global basis, you may wish to visit the CDC and the World Health Organization

Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form. 

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.