Client Alert: COVID-19 Cyber Scams: Protect Your Organization
With everyone’s attentions devoted to the COVID-19 crisis and the disruptions it has caused to the normal rhythms of business and personal affairs, it should come as no surprise that criminals and scammers are seeking to take advantage of the situation. Worldwide, law enforcement agencies and data security professionals are reporting an uptick in the number of fraudulent schemes linked to COVID-19, including:
- Treatment scams: Scammers are offering to sell fake cures, vaccines, and advice on unproven treatments for COVID-19.
- Supply scams: Scammers are creating fake shops, websites, social media accounts, and email addresses claiming to sell medical supplies currently in high demand, such as surgical masks. When consumers attempt to purchase supplies through these channels, fraudsters pocket the money and never provide the promised supplies.
- Provider scams: Scammers are also contacting people by phone and email, pretending to be doctors and hospitals that have treated a friend or relative for COVID-19, and demanding payment for that treatment.
- Charity scams: Scammers are soliciting donations for individuals, groups, and areas affected by COVID-19.
- Phishing scams: Scammers posing as national and global health authorities, including the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC), are sending phishing emails designed to trick recipients into downloading malware or providing personal identifying and financial information.
- App scams: Scammers are also creating and manipulating mobile apps designed to track the spread of COVID-19 to insert malware that will compromise users’ devices and personal information.
- Investment scams: Scammers are offering online promotions on various platforms, including social media, claiming that the products or services of publicly traded companies can prevent, detect, or cure COVID-19, and that the stock of these companies will dramatically increase in value as a result. These promotions are often styled as “research reports,” make predictions of a specific “target price,” and relate to microcap stocks, or low-priced stocks issued by the smallest of companies with limited publicly available information.
- Vendor scams: Scammers are posing as vendors and claiming that payments should be sent electronically to a new location, recipient and/or bank account due to COVID-19 workplace changes.
- Relief Fund scams: Scammers are pretending to be with private or government organizations providing coronavirus "relief funds" and request banking, health, and other information. Offers of money are generally scams.
At this time, with many employees working at home, often with personal devices, it is important for your organization to be hyper-focused and extra-vigilant in order to secure your organization’s systems, money and data.
What should I do?
- Alert employees to these possible scams through training or informational materials.
- Where possible, ensure employees only use devices issued by your business and, where not possible, consider best practices available for data management.
- Keep business data on business devices or provide secure cloud-based platforms for employees to store business data processed through personal devices.
- Require or, if not possible, encourage, employees to use employer-approved web and mobile apps for remote work, such as for audio and video conference calls, chat, and project management.
- Stress to employees the importance of securing their home networks, and offer them help in doing so.
- Avoid using public wi-fi and provide best practices tips when use of pubic wi-fi is unavoidable.
- Make sure all devices, business and personal, stay updated with the latest patches to the operating systems and antivirus software.
- Employ two-factor authentication to access your network and, if offered, for online accounts.
- Use secure services for transferring data and for cloud storage.
- Encrypt sensitive/confidential data in transit.
- Protect devices from theft – do not leave them in your car or unattended in public places.
- All devices should use full disk encryption to make the data on them be inaccessible.
- Update your regular privacy and cybersecurity training program to address COVID-19 related scams.
- Beware of vendors who ask that you change your method of payment to them. Confirm all changes, not only in writing, but with a call you place to a known phone number to a known individual associated with the vendor.
Many are also asking whether it is appropriate to share information about employees or their family members who become ill. Although HIPAA does not apply to most employers, it is important to remember that employees’ medical information and non-medical but health-related information may be protected by a number of federal, state and other laws. If an employer learns that an employee has been confirmed to have COVID-19, the CDC directs that an employer should inform its staff of the fact that a fellow employee has been diagnosed, without naming the employee.
If you have any questions regarding privacy or cybersecurity, we are here to help.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.