Defending Against Phishing and Other Rising Cybersecurity Threats as Attackers Exploit Coronavirus Vulnerabilities

24 March 2020 Blog
Authors: Aaron K. Tantleff Jennifer L. Rathburn Chloe B. Talbert
Published To: Coronavirus Resource Center Privacy, Cybersecurity & Technology Law Perspectives

As the coronavirus (also known as COVID-19) continues to impact all organizations globally and create uncertainty, cyber criminals are looking to exploit these vulnerabilities and fears and pose heightened cybersecurity threats for organizations and individuals alike. Phishing and other social-engineering campaigns are popular scams, especially in times of crisis, when the desire for information and resources is especially high. In fact, we are seeing a record spike (in some cases more than 5,000 registrations in a single day) in the registering of domain names that include “COVID” and “coronavirus.” These scams may use the coronavirus as bait to induce targets to interact with malicious links, attachments or applications, divulge sensitive or confidential information, or donate to fraudulent charities. While these attacks target individuals, employees and other end users create risks to organizations, as human error continues to be a substantial cause of security incidents. These risks are amplified by the increase in remote working as the global response to COVID-19 requires individuals to stay home and practice “social distancing.”

Given the rapid work from home (WFH) deployment, many organizations did not have time to properly harden or even prepare their environment for such a large remote workforce and cyber criminals know this. They are taking advantage of those inadequate or naive security postures and have been quickly ramping up to prey on individuals, devices, and networks. Whether it's using the work computer for personal reasons or using one’s personal computer to connect to the organization’s network, the rapid WFH deployment is exposing networks to new risks, and in many cases, without adequate time to properly address such risks. For example, many organizations require the use of company owned and provisioned devices in order to work remotely and did not have enough devices to hand out to its newly remote work force. Even if organizations had enough devices, many were not able to set them all up in time. Other organizations realized that they could be stuck with thousands of machines once the pandemic is over. Regardless of the reason, thousands of organizations allowed, for the first time, their workforce to use their own personal computing devices to connect to the corporate environment, remotely. And many found out they were ill prepared, evidenced by a spike in attacks.

We are also seeing organizations creating vulnerabilities in their environment where they did not exist before. For example, an organization that required all users to have multi-factor authentication in order to log in remotely, did not have enough licenses to roll it out for all employees who are now remote. While another organization had an unlimited enterprise license, they were not permitted to install it on non-company owned devices. In both cases, and many others, the organization, in the frenzy of trying to enable its work force to be remote and stay connected, elected to forgo those protections. As we have seen, vendors have generally been understanding and willing to work with their customers to very quickly resolve these types of issues. 

The cyber criminals are playing off of individuals’ fear, thirst for knowledge, and anxiety. For example, these cyber criminals are sending out legitimate coronavirus related updates that are laced with, framed in or link to malware. Users click on the links to what’s otherwise legitimate information and end up installing malware on their machine, as well as the corporate network. Other phishing scams include the get rich quick themes about investing in stocks of companies who have “cures” for COVID-19. Other scams include links and offers to purchase hand sanitizer and toilet paper, but after paying for the vapor products and the compromise of their credit card, the only thing delivered is malware to the buyer’s machine. 

In light of the rapidly increasing remote workforce and influx of cyber criminals attempting to capitalize on the coronavirus, organizations should take precautions to defend against new cyber threats and mitigate risk.

Phishing and Cybersecurity Precautions

Continue to Follow Best Practices

These are uncertain times, and will continue to be as the COVID-19 crisis continues to evolve. However, organizations should try to maintain best practices and continue to follow their security policies and practices to keep defenses up and encourage employees and end users to do the same. 

Identify and Respond to Vulnerabilities

This includes looking at what protections are in place for company owned and provisioned devices and pushing similar protections out to the remote work force. This may require increasing the number of end user licenses the company has, as well as ensuring it can be used on a personally owned device.

Adapt to Remote Working

Click here for more guidance on navigating remote working and the security issues it presents. 

Increase End User Security Awareness

While technological precautions are necessary, they may not be sufficient to protect organizations from cyberattacks. Especially considering the increase in remote working, which may be unfamiliar to many employees and other end users across industries, additional awareness training is crucial to prevent security compromises from targeted cyberattacks. 

End User Precautions

End users should be reminded to take the following precautions:

  • Do not click on links in unsolicited emails, social media messages or electronic communications and be wary of email attachments, especially those proclaiming to be related to or about COVID-19. 
  • Only interact with trusted sources, like legitimate, government or organizational websites, when seeking current, factual information about COVID-19.
  • Never reveal confidential or proprietary information or data, whether personal or organizational, in email, over social media, or by any other electronic communication.
  • Never respond to, but always report, any solicitations for such confidential or proprietary information or data. 
  • Report any suspicious emails, social media, or other electronic communications. 
  • Verify the authenticity of a charity or other cause before making a donation or pledging any other kind of support.

Support End Users and Set the Example

Organizations should lead by example when it comes to cybersecurity and provide employees and other end users the support they need to help organizations prevent security compromises. Organizations should: 

  • Do their best to keep end users informed and be sure to reference or provide only trusted, legitimate sources and current, factual information; and
  • Institute policies and practices allowing and encouraging end users to report suspicious communications and other potentially malicious activity.

In summary, it is important for organizations to take additional steps now when it comes to cybersecurity in order to mitigate their risk of suffering negative impacts from the coronavirus. For more information about recommended steps, please contact your Foley relationship partner. For additional web-based resources available to assist you in monitoring the spread of the coronavirus on a global basis, you may wish to visit the CDC and the World Health Organization

Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.