This morning I received an email from the “Executive Vice President, Business Financial Services” of my personal bank. He wrote to tell me that the bank was taking added precautions to keep clients and employees safe. He went on to say that they had put into place “a sofisticated system to facilitate communication” and that I should view the attached documents for more information.
Although the would-be hacker went to a lot of trouble, perhaps even had information that I am indeed a client of the bank, he forgot to proof-read. The obvious misspelling quickly led me to check the email domain name, which showed that this VP of one of the Big Banks, was writing to me from an “@cox.net” account.
Emails such as the one I received, business email compromise attacks (BECs), are becoming increasingly common during this time of the emergency as criminals seek to take advantage of technical vulnerabilities and everyone’s strong desire for more information and reassurance that their families, jobs and finances will be safe. As a result, employers and organizations need to be vigilant in maintaining their security systems as staff login from their homes. However, as has always been the case, the real first line of defense to a hacker or ransomware attack are the people.
Now more than ever, organizations need to promote a culture of being “cyber savvy”. Many organizations are sending daily or near daily updates to their remote employees to keep them abreast of Covid-19 related developments, both internally and in the community at large. This is crucial. If stressed and isolated employees feel connected and informed, they are less likely to fall prey to those seeking to take advantage of the situation with false emails and fake news. In addition to these updates, in order to mitigate the risks of BECs, consider including reminders to employees that before they open an unexpected email, they should check the domain name and if it is suspicious, delete it.
Such steps are important because, after the emergency is over, if there have been data and privacy breaches, and there undoubtedly will be, organizations that did not take reasonable precautions in the circumstances to protect their clients’, members’, ratepayers’ or stakeholders’ data, may be subject to claims of negligence, breach of contract, breach of fiduciary duty, or breach of privacy. Taking steps now to strengthen the culture of cyber security within the organization will undoubtedly provide protection against future claims.