April 30, 2020
By John Murrill, Partner, Executive Committee, Technology Committee Chair
Litigation, Labor and Employment, Data Security
As the coronavirus continues to spread across the globe, people carefully scrutinize the daily news reports for evidence that social distancing and other preventative measures are helping to “flatten the curve.” Metrics such as infection and hospitalization rates, numbers of new cases, numbers of ventilators, and numbers of deaths are carefully monitored for indications of the virus’ progress.
As businesses are forced to implement work-at-home policies to help combat the spread of the virus, there is another ominous metric that has not received as much attention from the media. Specifically, cybercriminal activity has dramatically escalated during the pandemic. Cyber-crimes always tend to increase during times of emergency, but the current crisis presents even more fertile opportunities for mischief because IT staffs (who are themselves frequently working at home) are stretched thin supporting the remote workforce, and because employees working at home are often using their own personal devices to access their employer’s networks. The FBI recently reported that since the beginning of the pandemic, complaints to its Internet Crime Complaint Center have increased three- and even four-fold to as many as four thousand (4,000) per day, and the deputy assistant director of the FBI’s Cyber Division recently observed that “we have increased vulnerabilities online, and increased interest from threat actors to exploit those.”
In particular, use of phishing e-mails has escalated dramatically during the pandemic. Hackers are crafting phishing e-mails using pandemic-related themes intended to create a sense of fear and/or sympathy in the people receiving the e-mails. For example, some phishing e-mails have posed as communications from food banks and other NGO’s seeking solicitations to offset pandemic-related expenses. Other e-mails have posed as communications from the World Health Organization, the National Institutes of Health, and other trusted organizations. Still others have offered free face masks or mimicked routine e-mail traffic between employees working from home. All of these phishing e-mails have one goal – convincing the recipient to click on a bogus link that will then spread various forms of malware. Furthermore, the phishing campaigns are not limited just to profiteering cybercriminals, as Google recently reported it has identified at least twelve (12) state-sponsored efforts to use the pandemic to spread malware.
Another cyber-threat that was largely unknown prior to the pandemic is “Zoombombing.” As more and more employers have been forced to adopt work-at-home policies, employees have often relied on the videoconferencing service Zoom as a professional lifeline to host remote meetings with employees, clients, customers, etc. Businesses use Zoom to conduct team meetings, courts use Zoom to conduct hearings, attorneys use Zoom to take depositions, and teachers and professors use Zoom to teach classes at high schools and colleges around country. But with the explosive growth of Zoom has come increased and unwelcome attention from cyber-intruders who have hijacked Zoom videoconferences for their own purposes. Zoombombers have disrupted meetings of Alcoholics Anonymous, Sunday-morning worship services, online college classes, and a city-government meeting. And the threat posed by Zoombombers goes beyond the simple disruption of meetings and posting of hate-speech and offensive images. A much more serious threat to businesses and law firms hosting remote conferences on Zoom is the possibility that Zoombombers can eavesdrop on sensitive conversations involving the discussion of company trade secrets, confidential and sensitive health information protected by HIPAA, legal strategies, etc. The risk is compounded by Zoom’s poor track-record with respect to its encryption and security measures; indeed, the founder and CEO of Zoom apologized to the app’s millions of users in early April 2020 after coming under fire for the app’s many security issues. Zoom has been working to increase its encryption and security features, and a new version 5.0 is set for release on May 30.
Clearly, cybercriminals consider the current work-at-home model to be a target-rich environment. So what are some of the steps employers can take to protect themselves and minimize cyber-risks?
Don’t be caught with your cyber-pants down!
About John Murrill: Taylor Porter Partner John Murrill’s practice is concentrated in the fields of commercial litigation, labor and employment, data security, e-discovery, higher education law, government purchasing, procurement and contract law. He has been selected for inclusion in Best Lawyers in America® in Mass Tort Litigation/Class Actions - Defendants. John serves as chair of Taylor Porter’s Technology Committee, co-chair of the Business and Commercial Litigation practice, and also is a member of the Firm's Executive Committee.
Taylor Porter attorneys continue to monitor the legal developments pertaining to COVID-19. For the latest legal news and developments, please visit the Taylor Porter Coronavirus – Legal News and Business Resources section of our website.
Disclaimer: This article is for general information purposes only. Information posted is not intended to be legal advice. You should consult attorneys for any legal questions and/or advice.