The COVID-19 crisis has presented an array of novel issues for companies, including new and unexpected cybersecurity threats. In addition to the now well-known security limitations of video platforms such as Zoom, we are seeing cyber-attacks in the form of COVID-19 related phishing attempts and ransomware attacks. In at least some of these attempted hacks, cybercriminals are hoping to steal trade secrets.
- Cybercriminals are taking advantage of the novel at-home working environment and the increased fear and uncertainty surrounding the pandemic to launch malware and phishing attacks related to COVID-19.
- Employees may be more likely to click a link or open an attachment, even though they would never consider doing so in a normal situation at work.
- Therefore, malware may pose more of a danger than it did when employees primarily accessed their email over their employers’ traditionally more protected systems.
- Companies should consider putting employees on notice about the COVID-19 related phishing attempts and provide examples of common scams.
Each day during the week of April 13, 2020, Google noted over 18 million malware and phishing emails related to the pandemic. In that same period, the organization behind the “Trickbot” malware sent out hundreds of COVID-19 themed emails, each with attachments concealing malicious “macro-laced” attachments. Recent phishing attempts have included emails directed towards remote workers and pretending to be associated with the recipients’ employer, as well as emails impersonating organizations such as the WHO or CDC. The emails may offer information about stimulus payments, health advice, or a purported company policy related to the pandemic, and they might solicit donations or otherwise attempt to deceive individuals into downloading malware.
In most cases, these phishing attempts are not new, but are merely updated to exploit fears surrounding COVID-19. The phishing attempts might also be directed at particular governments and sectors, exemplified by a recent campaign using PoetRAT, a Remote Access Trojan targeting the Azerbaijan government and renewable energy sector using phishing emails containing Word document attachments. The malware used in this particular attack purportedly targets supervisory control and data acquisition (SCADA) systems, which are often used in the management of manufacturing systems and energy networks.
Many companies already diligently educate their employees about phishing and malware attacks, particularly those perpetrated over email. However, legacy prevention measures are no longer as effective for two reasons. First, employees are increasingly accessing their company email from personal devices, which may not possess the same security protections as their company-issued devices. Second, and the current environment of increased fear and uncertainty surrounding the pandemic, employees may be more likely to click a link or open an attachment, even though they would never consider doing so in a normal situation at work. Therefore, malware may pose more of a danger than it did when employees primarily accessed their email over their employers’ traditionally more protected systems and in their usual work environments.
Given these issues, especially combined with the increased need for proprietary information that must now be accessible virtually, and companies’ continued responsibility to protect their trade secrets, companies should consider reminding employees about cybersecurity scams and best practices to avoid them.
Companies should put employees on notice about the COVID-19 related phishing attempts and provide examples of common scams. They should also remind employees to carefully check the sender’s email address to ensure email communications are actually from their employer or another reputable organization. Finally, employers should tell their employees to be particularly wary of clicking any embedded links or opening any email attachments without carefully confirming that the email is legitimate. Asking employees to take these precautions may help companies avoid any data breaches or loss of trade secret protection they may have suffered if employees were not on notice about COVID-19 related phishing.