News & Events

LAW ELEVATED – Working remotely during COVID-19: Data security risks

THE FOLLOWING ARTICLE WAS WRITTEN BY Melody McAnally AND WAS also PUBLISHED IN the Mississippi Business Journal.

With more employees working remotely during the COVID-19 pandemic come increased data security risks. Phishing emails are the leading cause of business data breaches, and according to Google, scammers are sending 18 million hoax emails about COVID-19 to Gmail users every day. So far, we have seen the following phishing emails specific to the COVID-19 pandemic:

  • To sign up for COVID-19 vaccine testing;
  • To invest in stock of a COVID-19 vaccine or ventilator equipment;
  • To buy COVID-19 home test kits (there are no FDA-approved home kits);
  • To buy products to treat COVID-19 (there are no products proven to treat COVID-19);
  • To donate to a charity relating to COVID-19;
  • To receive government checks from the recent federal Coronavirus Response Act.

These phishing emails often ask you to click a link and provide debit/credit card numbers or bank account information. Hackers will use this information to steal from your financial accounts or sell your credit card information on the Dark Web. It is rarely a good idea to click on email links to provide financial account information. If you think an email is from a financial institution with whom you do business, go directly to that financial institution’s website to log in.

If a charity emails asking for a donation, separately go to that charity’s website to donate online. If an email asks you to click on a link to download a new app, go to the app store to download the app. The Federal Trade Commission is a good resource for common scams and data breaches and for reporting phishing scams.

Some of the same phishing emails we have seen before are making come-back appearances.  Often hackers imitate Microsoft requesting users to enter their usernames and passwords for an urgent purpose or to change passwords. This is often a scam to get your work credentials to hack into a business network. Separately email your business’s IT helpdesk to inquire about Microsoft updates that may be legitimate.  If you receive an email from someone in your business asking you to click on a link or provide your username and password, call or email separately that person to make sure the request is legitimate.

The FBI has also warned about these increased risks of phishing schemes relating to the COVID-19 pandemic. The FBI gave several examples of recent COVID-19 phishing schemes, which typically impersonate vendors asking for payment outside the normal course of business due to COVID-19.

The FBI advises of the following red flags:

  • Unexplained urgency
  • Last minute changes in wire instructions or recipient account information
  • Last minute changes in established communication platforms or email account addresses
  • Communications only in email and refusal to communicate via telephone or online voice or video platforms
  • Requests for advanced payment of services when not previously required
  • Requests from employees to change direct deposit information

The FBI also recommends the following tips:

  • Be skeptical of last-minute changes in wiring instructions or recipient account information.
  • Verify any changes and information via the contact on file – do not contact the vendor through the number provided in the email.
  • Ensure the URL in emails is associated with the business it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from.

If you are a victim of a fraudulent scheme, contact your financial institution immediately. You should also file a complaint with the FBI’s Internet Crime Complaint Center.

Businesses should continue to regularly train employees on phishing emails, particularly now that new COVID-19 phishing emails are becoming more common. Train employees to help them know what to look for in phishing emails. Remember to look for spelling errors or grammatical errors in suspicious emails. Many criminally indicted hackers have come from foreign countries and lack English skills. Also, look for misspellings in email addresses purporting to come from someone in your business. Often email addresses are misspelled by one letter that is hard to catch unless you look closely.

Businesses should implement multi-factor authentication given the increase in employees working remotely. Remote access to a business network remains a common data breach risk. Multi-factor authentication has become the gold standard to prevent remote access breaches.

If businesses have not yet invested in a cyber insurance policy, now is the time. Talk with your insurance broker for information about cyber insurance policies. Businesses who have a cyber policy should check in with their broker to make sure it still provides sufficient coverage. Specifically inquire about coverage relating to phishing email data breaches. Cyber policies are more common and less expensive than a few years ago. As the saying goes, an ounce of prevention is worth a pound of cure.

» MELODY McANALLY, an attorney with Butler Snow, focuses her practice on data privacy and security and commercial litigation. She is a co-team leader of the firm’s data security and privacy team, and advises clients on data security protection, data breach response and cyber-risk management.