Pandemic-based Cyber Attacks, Phishing Schemes & Data Breaches: Oh My!

12/2/2020

Never let a crisis go to waste. This appears to be the maxim of cyber criminals seeking to capitalize on cyber vulnerabilities posed by the COVID-19 pandemic. In fact, the United States Cybersecurity and Infrastructure Security Agency warns us that cyber criminals are employing a growing number of COVID-19-related cyber-attacks and scams in an effort to profit from the pandemic.

Multiple industries have fallen prey to cyber criminals’ malicious online activity, and the hospitality industry is no exception. For example, while not necessarily a consequence of pandemic-induced cybercrime, in early 2020, Marriot Hotels suffered a major data breach. Personally Identifiable Information (PII) of about five million customers was compromised after cyber criminals used Marriot employees’ login credentials to access guest information.

COVID-19 has given way to a rise in cybercrime due largely to targeted online deception such as phishing emails and phony COVID-19 relief websites riddled with malware. Cybercrime, amid COVID-19, also takes the form of cyber vulnerabilities posed by the transition to a remote work force and an increase in online transactions associated with curbside service.

At a time when companies in the hospitality industry and beyond are looking for guidance, we address the most prevalent pandemic-induced cyber threats and offer some countermeasures:

Phishing and Malware Schemes

Amid the pandemic, cyber criminals seek to prey on well-intentioned employees through COVID-19-related phishing schemes and malware minefields posing as COVID-19 relief websites. For example, cyber criminals will send emails to a company’s employees purportedly authored by the World Health Organization or the U.S. Centers for Disease Control containing malware embedded within attachments and links disguised as information on vaccines and treatment. Other phishing emails take the form of purported information on infection rates from major university hospitals.

Equally as dangerous are malicious websites created by cyber criminals using domain names containing the words “coronavirus” and “Covid-19”. Well-intentioned employees seeking to donate to COVID-19 relief or simply get an update on COVID-19-related information may visit these websites from a company’s network.  Unbeknownst to the employees, the websites are riddled with malware.

The following measures will help employees to recognize and avoid malicious emails and websites:

  • Test employees’ alertness by implementing bait-phishing exercises in which employees receive simulated phishing emails.
  • Implement an effective layered defense system including firewalls to block attacks, Domain Name Service (DNS) filtration systems to prevent access to bad websites, endpoint protection to protect users’ computers from malware, and email filtration to prevent incoming links or attachments that may be malicious. This list is not exhaustive, but offers a starting point to help manage the risks.
  • Educate employees on red flags of phishing and the importance of consulting only legitimate government websites for COVID-19-related information.
  • Provide employees with regular updates on COVID-19 to curb the need for independent research.

Remote Work and Teleconferencing

The hospitality industry is confronted with additional cybersecurity risks as its corporate workforce transitions to remote work. With living rooms and basements sufficing as workspaces, official company technology (e.g., laptops and smart phones) is more easily accessible to family and friends. Unauthorized access, even if well-intentioned, increases cybersecurity risks including the potential for malware attacks.

Quarantine and work-from-home safety measures have transformed the home into more than just an office; it is also a school and child daycare. Employees managing an extensive workload while doubling as teachers and daycare workers lack the time and patience required for cybersecurity vigilance. Home life distractions and multi-tasking divert attention from potential cybersecurity threats like phishing emails. An employee rushing to respond to a barrage of emails on her smart phone while simultaneously teaching her child algebra and watching news updates on COVID-19 may easily fail to recognize red flags of phishing.

Additionally, employees’ home networks may not be secure, leaving them exposed to malicious activity. Employees seeking a change of scenery might opt to work from a coffee house or public library, joining a public network in the process. But public networks are risky precisely because they are open to the public. Information transmitted across a public network may be accessible to another network-user.

Following are several measures that may facilitate a safe and secure remote work environment: 

  • Keep company-owned technology in a safe and secure location not typically frequented by family members and friends. Also, they should further restrict access by requiring a password at log-in.
  • Designate a specific space within their homes as a home office. Additionally, they should avoid the use of handheld devices. Red flags of phishing are more likely to go unnoticed on smaller screens.
  • Equip their home computers with reputable firewall software in order to properly monitor and filter network traffic including blocking malware.
  • Avoid unsecure public networks by working from a home office. Save the coffeehouse exclusively for coffee breaks.

Following the shift to remote work, there was a massive uptick in teleconferencing via services like Zoom and GoToMeeting. As we have seen throughout the pandemic, professional teleconferences have been hacked and hijacked by cyber criminals on numerous occasions. This is especially dangerous when employees are sharing sensitive or proprietary information.

Cyber criminals have the ability to hack non-encrypted teleconferences and record or re-broadcast video streams including any confidential and proprietary information featured therein. Additionally, chat messaging components of teleconferences are vulnerable to phishing attacks. These types of attacks can not only jeopardize a company’s confidential information, but also a company’s reputation.

By adjusting teleconference settings as follows, companies can help safeguard their teleconferences from external threats:

  • Require teleconference participants to enter a password before entering the teleconference.
  • Set up a waiting room in which participants must await access from an appointed host.
  • Elect end-to-end encryption, which ensures that communication between all meeting participants is encrypted using cryptographic keys known only to the devices of those participants.

Data Breach

Data breach – which took center stage in cyber warfare even before the pandemic – is now a greater threat as companies are preoccupied with tackling other challenges posed by the pandemic. The restaurant industry in particular is increasingly in the crosshairs. Implementation of curbside pickup has resulted in an uptick in mobile orders and digital payment. Increased digital payment has created a cyber criminal’s treasure trove of stored payment credentials.

The following measures may help to ensure that a company’s data remains where it should be – with the company:

  • Implement deception grids by employing technology that generates deception decoys for cyber criminals and monitors network intrusion; these are sometimes referred to as “Honeypots” or “Honeynets.”
  • Conduct regular penetration testing by launching simulated cyber-attacks designed to flag vulnerabilities in network security.
  • Implement multi-factor authentication by employing an electronic authentication scheme requiring two or more methods of identity authentication for network access.

Taking proactive steps not only improves defense against cybersecurity threats, but it also helps mitigate cybersecurity litigation. 

ABOUT THE AUTHOR

Justin Guido is an attorney in RumbergerKirk’s Miami office. He focuses his practice on casualty litigation involving claims of personal injury and negligent security. Additionally, he holds the accreditation of Certified Information Privacy Professional from the International Association of Privacy Professionals. In this capacity, Guido defends clients in data breach class action lawsuits and provides consultation to businesses within the hospitality industry on information management practices. Guido can be reached at (305) 358.5577 or [email protected].

X
This ad will auto-close in 10 seconds