Both employers and individuals continue to receive a barrage of information regarding the novel coronavirus 2019 (COVID-19). It is important to remember that during any time of stress, there will be some people with bad intentions willing to take advantage of the situation. “Phishing” and similar cybersecurity attacks are among the scams that the U.S. government is currently seeing in response to the COVID-19 pandemic. As a result, the U.S. Department of Homeland Security (DHS) has issued guidance and reminders related to the COVID-19 outbreak.
DHS’s Cybersecurity and Infrastructure Security Agency (CISA) is warning individuals to remain vigilant for scams related to COVID-19. Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes in a phishing attack. Employers may want to remind employees to exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.
Employers also may want to remind employees, both those working in an office setting and those working remotely, to continue to be vigilant against cybersecurity threats. CISA offered the following precautions that may help to protect corporate data assets:
-
Avoid clicking on links in unsolicited emails and be wary of email attachments. CISA’s website includes helpful “Security Tips” documents, including, “Using Caution with Email Attachments” and “Avoiding Social Engineering and Phishing Scams.”
-
Use trusted sources, such as legitimate, government websites, for up-to-date, fact-based information about COVID-19.
-
Do not reveal personal or financial information in emails, and do not respond to email solicitations for this information.
-
Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.
- Review CISA Insights on Risk Management for COVID-19 for more information.
Companies that are the victims of phishing schemes need to be prepared to act immediately to determine if they are the victims of a data breach. If a data breach has occurred, there are steps that must be taken to limit the potential harm to not only the company but also employees and customers (both of whom may be experiencing identity theft on an individual basis). The steps may differ depending on the type of information disclosed in the breach, the number of impacted individuals, and various state laws regarding data breach notifications.
CISA stated that in its “role as the nation’s risk advisor,” it “will use its relationships with interagency and industry partners to facilitate greater communication, coordination, prioritization, and information-sharing between the private sector and the government” with regard to cybersecurity attacks related to COVID-19. Having qualified personnel aware of and addressing the current phishing schemes circulating can help stave off a cybersecurity attack.