United States: Cybersecurity Threat Actors Target Data of Businesses Seeking Economic Relief

Keep up to date with Akin Gump Strauss Hauer & Feld's COVID-19 Resource Centre

Cybersecurity threat actors are targeting information of businesses seeking assistance during this time of crisis. For example, last week the Small Business Administration (SBA) reported a suspected data breach, affecting close to 8,000 applicants to the Economic Injury Disaster Loan Program. The SBA said that the personal information of more than 7,913 business owners who applied for disaster loans was possibly seen by other applicants. The data breach comes as the SBA is grappling with a sharp increase in phishing emails that are using the SBA's name claiming to offer relief for small businesses. Currently, the SBA is unable to accept new applications for the Economic Injury Disaster Loan, based on available appropriations funding.

The FBI has warned of increased cyberattacks and fraud schemes related to COVID-19.  Business email compromise is also anticipated to rise as a result of the pandemic, with more than 1200 complaints already reported to the FBI related to COVID-19 fraud. As companies have shifted to remote work, they should adopt heightened cybersecurity protections, as suggested by the FBI:

Do:

• Select trusted and reputable telework software vendors; conduct additional due diligence when selecting foreign-sourced vendors.
• Restrict access to remote meetings, conference calls or virtual classrooms, including the use of passwords if possible.
• Beware of social engineering tactics aimed at revealing sensitive information. Make use of tools that block suspected phishing emails or allow users to report and quarantine them.
• Beware of advertisements or emails purporting to be from telework software vendors.
• Always verify the web address of legitimate websites or manually type it into the browser.

Don't:

• Share links to remote meetings, conference calls or virtual classrooms on open websites or open social media profiles.
• Open attachments or click links within emails from senders you do not recognize.
• Enable remote desktop access functions like Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC) unless absolutely needed.