Each day, news outlets and government agencies release alerts about new cyber scams arising from the coronavirus pandemic. Below are updated issues of which to be aware to protect yourself, your business, your kids, and your employees:
1. Be Careful with Zoom: Incredibly popular with educators and businesses to conduct virtual classes and meetings, hackers now infiltrate Zoom-meetings (called a “Zoom Bombing”) for a variety of reasons. Some attacks are simple pranks in which the hackers shout obscenities or post distasteful images. However, other attacks are extremely serious; quiet eavesdropping in which the attacker desires to steal proprietary information or finding opportunities to commit hate crimes. Eric Yuan, Zoom’s CEO posted a statement online in which he acknowledged the following:
We also feel an immense responsibility. Usage of Zoom has ballooned overnight – far surpassing what we expected when we first announced our desire to help in late February. This includes over 90,000 schools across 20 countries that have taken us up on our offer to help children continue their education remotely…We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security. However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.
Zoom’s efforts to combat these issues are detailed in the post. In the meantime, recommended actions while utilizing its features during the growing pains are as follows:
Do not post meeting codes/passwords on public sites or social media;
Meeting hosts must monitor participants for unknown users accessing the meeting; and
Manually type in the link to the meeting if not using the app as several domains posing as legitimate Zoom sites have been registered in the last week likely for malicious purposes.
2. Be Suspicious of Educational Websites for Children: The Children’s Online Privacy Protection Act (COPPA) applies to operators of websites and mobile apps directed at children under 13 that collect, use, or disclose personal information from the children. Operators of such websites must do the following to comply with COPPA:
Provide direct notice to parents and obtain verifiable parental consent before collecting personal information online from children;
Give parents the choice of consenting to the collection and use of the Child’s information, while prohibiting disclosure to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
Provide parents access to their child's personal information to review and/or have the information deleted;
Give parents the opportunity to prevent further use or online collection of a child's personal information;
Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonably safe measures.
3. Mobile Apps: According to an alert from the United States Attorney's Office for the Eastern District of Washington, “Scammers are creating and manipulating mobile apps designed to track the spread of COVID-19 to insert malware that will compromise users’ devices and personal information.”
4. Remote Desktop Access – Trusted Sources Only: Teleworkers will undoubtedly require remote assistance for IT issues during quarantine. Most entities with IT staff have specific programs, either directly through their VPNs or other programs, that allow IT professionals to remotely access a user’s desktop. Ensure teleworkers ONLY utilize authorized programs and do not seek unauthorized programs for remote access assistance. Certain teleworkers, whether due to embarrassment or impatience, may seek assistance from unknown sources found online. This is extremely risky behavior. For entities without remote access solutions, consider Microsoft Teams, which to date, is heavily relied upon by healthcare organizations.
5. Health Care Entities Be Vigilant: The FBI urgently warns purchasers of COVID-19-related medical equipment to be vigilant for the following types of suspicious activity:
Unusual payment terms (e.g., supplier asking for up-front payments or proof of payment);
Last-minute price changes;
Last-minute excuses for delay in shipment (e.g., claims that the equipment was seized at port or stuck in customs); and
Unexplained source of bulk supply.
Due to supply chain issues, cyber scammers pose as vendors and promise supplies otherwise unavailable from previously verified sources. Many such offers will come in email form and in certain cases, the fraudulent company may have a comical name such as “HandSani4U2Day.” Additional criminal activity involving medical supplies include the sale of fake testing kits.
Cyber safety information is only valuable if received. Brief your employees as one breach can result in legal liability and lost profits and goodwill.