September 17, 2021

Volume XI, Number 260

Advertisement

September 17, 2021

Subscribe to Latest Legal News and Analysis

September 16, 2021

Subscribe to Latest Legal News and Analysis

September 15, 2021

Subscribe to Latest Legal News and Analysis

September 14, 2021

Subscribe to Latest Legal News and Analysis

What Does Phishing Have to do with Coronavirus?

As announcements relaying the spread of Coronavirus (COVID-19) continue daily, governmental agencies at all levels are offering information and guidance, and businesses are scrambling to prepare and protect their employees and customers. As part of a larger group in my firm helping to synthesize all this information, there is an aspect of responding to COVID-19 that has not gotten much attention – emerging phishing attacks by informed hackers trying to capitalize on fears employees have about the COVID-19 crisis and what their employers are doing to respond.

We have posted several times about the different techniques hackers use to trick unsuspecting, distracted, or nervous employees into falling victim to a phishing attack. A good example, also particularly relevant now, is IRS Form W-2 cyber scams designed to get workers to email other employees’ Forms W-2. The IRS has issued numerous warnings about these scams and guidance for addressing them. And, the World Health Organization has issued a similar warning relating to COVID-19.

At the moment, organizations around the world are communicating with their workforces about coronavirus in areas such as (i) updated travel policies, (ii) work at home requirements, and (iii) cleaning best practices. ​Businesses also might be adjusting or changing plans for conferences and other business initiatives in response to the reported spread of COVID-19. Hackers do their research and see the opportunity. Through social engineering, they can target employees who in the current environment might be more likely to respond to an executive’s email seeking action on a coronavirus-related topic.

As with Form W-2 and other scams, employees may, for example, receive fake emails purporting to be information from management about coronavirus. The hacker might assume an executive’s identity and apparent e-mail address for the purpose of sending what appears to be a legitimate request to address a critical business need surrounding the virus’ outbreak. Unsuspecting and nervous employees might be more likely to respond, allowing attackers into the organization’s information systems.

While an organization can use firewalls, web filters, malware scans or other security software to hinder spear phishing, experts agree the best defense is employee awareness. So, it is a good idea to remind employees about this threat, along with guidance for avoiding these attacks.

In the event your business is a victim of such an attack, it needs to be prepared to respond. This may require steps such as (i) investigating the nature and scope of the attack, (ii) ensuring that the attackers are not still present in its systems, (iii) determining whether notification is required under applicable state law to individuals and state agencies, and (iv) helping employees whose personal information may have been compromised.

Jackson Lewis P.C. © 2021National Law Review, Volume X, Number 62
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Principal

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890
Advertisement
Advertisement
Advertisement