Warning: Coronavirus Phishing Scams On The Rise - Remote Workers Are Key Targets - Security

Since the outbreak of the 2019 Coronavirus (COVID-19), we have seen a targeted focus by cyber criminals to capitalise on the crisis.

This update is a reminder to warn staff to remain vigilant against such activity, particularly as many workplaces encourage staff to work remotely, reducing the likelihood of face to face and telephonic communications (which increases the effectiveness of scams).

Background to Coronavirus scams

As at 11 March 2020, the World Health Organisation (WHO) reports there are currently 118,326 cases of COVID-19 confirmed across 114 countries, with the outbreak officially now classified as a pandemic.^[¹^]

We know that cybercrime peaks in times of crises or significant world events, with cyber criminals capitalising on public concern and confusion. In Australia we have seen this most recently with the bushfires and other headline news stories.^[²^]

How do these scams work?

Security researchers have identified that since January 2020, over 4,000 coronavirus related domains have been registered globally, estimating that 3% (120) are malicious and 5% (200) are suspicious.^[^3] We expect this trend to continue.

These domains can be used to set up fake websites. Using social engineering techniques, scammers can then act under the guise of experts claiming to provide credible information about the virus, offers for vaccinations, advertisements for prevention of the disease, and set up donation platforms.

Typically the scams will invite a user to provide sensitive information for later misuse, pay money into the criminal's account, or click on dangerous links and attachments. Once the link or attachment has been opened, there is a risk that the user's system can be compromised.

Current scams in circulation – what to look out for

In February 2020, the UN Health Agency reported that phishing emails appearing to come from WHO are circulating. If clicked through, users are requested to enter user credentials (i.e. email and password) thereby providing cyber criminals with the keys to access that user's online systems. More information is available here and here.

More recently, security researchers have identified a phishing email with the subject line "Coronavirus Updates" circulating, which attaches a malicious executable disguised as an Excel spreadsheet (titled "MyHealth.exe"). If opened, malware is downloaded capable of capturing screenshots of the user's desktop, monitoring clipboard, keystroke logging, clearing browser cookies, and downloading and executing files. More information is available here.

In Italy, a 'regionalised' spam campaign has been identified leveraging concerns in this growing hotspot. The well drafted email lures recipients into opening a document and clicking through links to "Enable Content". Once clicked, malware is downloaded including well known banking Trojan Trickbot. More information is available here.

Finally, in Japan, a spam campaign has been identified which lures users into responding to malicious emails containing attachments which, if opened, executes the well-known Emotet Trojan. We have previously written extensively about Emotet here. More information about the scam is available here.

What do you need to do in the first instance?

Awareness: as a starting point, warn your employees of the potential that they may come across malicious websites and advertisements or receive malicious emails.

Educate: train staff not to click on malicious links or attachments. If employees are unsure, they should speak with your IT team or the sender of the communication to confirm the communication it is legitimate.

Prepare to respond: more generally, organisations should also ensure that as part of their COVID-19 business continuity planning, steps are taken to increase the access and identity controls in place to create a secure yet effective environment for remote working. This includes enforcing secure VPN connections to critical digital assets, implementing multi factor authentication over key applications, and strengthening password requirements.

What do you do if you suspect you have been impacted by a phishing attack?

Isolate: if a malicious attachment/link has been opened or clicked through – isolate affected machines from the network to prevent the spread of unauthorised access/malware within your organisation's systems. Assess the scope of the impact on your network including what information may be at risk.
Missing funds: if funds have been paid, contact your bank to put a freeze on and trace funds. This needs to be done as quickly as possible given that there is often a time delay between when funds are paid and when users become aware of the fraudulent activity, thereby reducing the prospects of recovery.
Personal Data Protection: If personal information has been provided, consider what steps can be taken to prevent misuse of that information. This includes taking steps to protect against identity theft and account takeover, such as changing passwords to online accounts if credentials were provided, and implementing multi-factor authentication where possible on critical applications (such as online banking) to prevent unauthorised access.
Consider your regulatory obligations: while the focus is on containment and remediation, at the same time, an assessment of whether the incident is an Eligible Data Breach under the Privacy Act 1988 (Cth) ought to be undertaken. Statutory investigation and notification timeframes apply, so this needs to be done expeditiously.
If you have cyber insurance: contact your insurer to obtain assistance from expert vendors to assist your response capabilities.
Report it: report the scam to the WHO^[4], Scamwatch^[5] and ACCC.^[6]

More information about protecting yourself from scams is available on the ACCC's website here. You can also visit the Clyde & Co Coronavirus Information Hub for wider guidance on responding to the evolving global situation.

How can we help?

Clyde & Co has the largest dedicated and rapidly expanding cyber incident response practice in Australia and New Zealand. Our experienced team have dealt with over 700 data breach and technology related disputes in recent times, including a number of the largest and most complex incidents in Asia Pacific to date.

From pre-incident readiness, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients in Asia Pacific across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.