Many employees are working remotely during the COVID-19 pandemic. The COVID-19 pandemic has led to specific data security risks. Phishing emails are the leading cause of business data breaches. We have seen the following phishing emails specific to the COVID-19 pandemic:
- To sign up for COVID-19 vaccine testing;
- To invest in stock of a COVID-19 vaccine or ventilator equipment;
- To buy COVID-19 home test kits (there are no FDA-approved home kits);
- To buy products to treat COVID-19 (there are no products proven to treat COVID-19);
- To donate to a charity relating to COVID-19;
- To receive government checks from the recent federal Coronavirus Response Act.
These phishing emails often ask you to click a link and provide debit/credit card numbers or bank account information. Hackers will use this information to steal from your financial accounts or sell your credit card information on the Dark Web. It is rarely a good idea to click on email links to provide financial account information. If you think an email is from a financial institution with whom you do business, go directly to that financial institution’s website to log in.
A helpful tip to look for scams is to Google the email to see if it has been reported as a scam. If a charity emails asking for a donation, separately go to that charity’s website to donate online. If an email asks you to click on a link to download a new app, go to the app store to download the app. The Federal Trade Commission is a good resource for common scams and data breaches and for reporting phishing scams.
Some of the same phishing emails we have seen before are making come-back appearances. Often hackers imitate Microsoft requesting users to enter their user names and passwords for an urgent purpose or to change passwords. This is often a scam to get your work credentials to hack into a business network. Separately email your business’s IT helpdesk to inquire about Microsoft updates that may be legitimate. If you receive an email from someone in your business asking you to click on a link or provide your user name and password, call or email separately that person to make sure the request is legitimate.
Businesses should continue to regularly train employees on phishing emails, particularly now that new COVID-19 phishing emails are becoming more common. Train employees to help them to know what to look for in phishing emails. Remember to look for spelling errors or grammatical errors in suspicious emails. Many criminally-indicted hackers have come from foreign countries and lack English skills. Also, look for misspellings in email addresses purporting to come from someone in your business. Often email addresses are misspelled by one letter that is hard to catch unless you look closely.
Businesses should focus on multi-factor authentication now more than ever given the increase in employees working remotely. Remote access to a business network remains a common data breach risk. Multi-factor authentication has become the gold standard to prevent remote access breaches.
If businesses have not yet invested in a cyber insurance policy, now is the time. Talk with your insurance broker for information about cyber insurance policies. Businesses who have a cyber policy should check in with their broker to make sure it still provides sufficient coverage. Specifically inquire about coverage relating to phishing email data breaches. Cyber policies are more commons and less expensive than a few years ago. As the saying goes, an ounce of prevention is worth a pound of cure.