Beware of Cybersecurity Risks During COVID-19 and Working from Home

(This post is adapted from a message from Gowling WLG to their lawyers and staff written by Steve Lundy, which they have graciously offered to share with Avoid-a-Claim readers.)

As professionals and staff adopt the recently implemented remote working arrangement to reduce the risk associated with COVID-19, it is important to understand that this increases Cyber related risk. Cyber criminals thrive in stressful and confusing times. Knowing that the population is preoccupied dealing with monumental change, they have well-rehearsed playbooks that seek to exploit distributed workforces using remote connections. As a result, we are asking professionals and staff to be extra vigilant and take additional precautions.

Among other scams, hackers are circulating phony but legitimate looking:

• COVID-19 outbreak maps.
• Emails purportedly from IT teams to employees with the subject line: “ALL STAFF CORONAVIRUS AWARENESS.” The emails describe a seminar at which the company will discuss what it’s doing in response to COVID-19, which includes a link to register for the seminar.
• Emails claiming to be from vendors about COVID-19 tools and strategies that include links to PDFs and Word Documents and invite the recipient to click and open the attachment.
• SMShing messages closely resembling the employer’s phone number, indicating the recipient needs to “click here” to find out about modified firm operations. These seemingly harmless and legitimate looking emails and attachments are loaded with malware which deploy remote access tools (RAT), keystroke logging malware, desktop image capturing malware, and ransomware.

Hackers are looking to potentially gain control of law firm personnel’s remote access into the firm, or encrypt computers and anything else the malware can reach.

What can I do?

Here are several steps you can take to protect yourselves and the firm:

• Always think before you click.
• Never click on an email or text message from anyone you don’t know.
• If you receive an attachment in an email or text message you were not expecting—even if it’s from someone you know—call the person at a known telephone number (not the number listed in the message) to confirm the message is legitimate.
• If you click on something you should have avoided and a box opens that asks you for your password, or to supply some information or click on a link to enable a later version of software: stop, close out, and immediately call your IT Department to have a scan run on your device(s).
• Remember the ongoing risk of public Wi-Fi. If you can connect to Wi-Fi without a password, then the network is insecure. Do not use insecure Wi-Fi to connect to your work server, do any personal banking, or send any type of confidential or personal information.
• Avoid working in public spaces where third parties can view screens or printed documents.

(“Avoid a Claim” posted March 20, 2020 by LawPro)