In the midst of the coronavirus pandemic, hackers are capitalizing on fears surrounding the outbreak by crafting COVID-19-themed attacks aimed to infect computers with malware or obtain sensitive, personal information.
For example, readers may be familiar with a popular interactive dashboard created by Johns Hopkins University using real-time data from the World Health Organization to track the spread of the virus. It has become a go-to source for many wishing to stay up to date on the virus. Recently hackers have circulated links via social media, email attachments and online advertisements to malicious websites that are disguised as the university’s COVID-19 map. However, the deceptive links open an applet that, when installed, infect the device with malware designed to steal personal data such as login credentials, banking information and other sensitive data. To ensure you are accessing the “real” COVID-19 map, directly access it through Johns Hopkins’ official home page, rather than clicking any unidentified links or searching the internet.
In addition, news recently broke that the Department of Health and Human Services (HHS), the federal agency tasked with fighting the coronavirus, experienced a cyberattack. Although there was no actual penetration or data involved, a distributed denial of service – or DDOS – attack occurred in which bots attempted to overwhelm the department’s system to slow or shut it down. Officials are satisfied that the attack was unsuccessful and are working on determining the origin of the activity.
Even as the government and the public are focused on the public health crisis, the security and intelligence community is also monitoring threats from foreign adversaries and other malicious actors who may take advantage of the attention on COVID-19 to launch cyber-attacks on susceptible networks.
In times of crisis and uncertainty like these, businesses and their employees should be more vigilant than ever of malicious attacks, malware, and scams, especially those relating to the diagnosis, prevention or treatment of COVID-19. Implementation of security best practices will reduce the risk of losing sensitive personal and corporate information and minimize damage and disruption to systems and networks. Among other preventative measures, businesses should revisit (and, if appropriate, enhance) their remote working policies and procedures, require (or reinforce) anti-phishing training, and use email and multifactor authentication. Employees and customers should not click on links without scrutinizing the URL (i.e., ensuring secured websites begin with “https://”), never respond to emails requesting login credentials, payment information, or other sensitive information, and be wary of opening suspicious attachments. Visiting websites directly, rather than clicking on embedded links to those sites in emails, is always a good practice.
Just as people should be careful about what they touch in the physical world, they are also well advised to be careful about how they conduct themselves in the digital world.
McGuireWoods has published additional thought leadership related to how companies across various industries can address crucial COVID-19-related business and legal issues.