Government Contracting

An unfortunate by-product of the current COVID-19 pandemic is the growing trend of phishing attempts using public concern over this crisis to trick people into clicking on malicious links posing as resource information.  Phishing scams are hardly new threats but the coronavirus outbreak creates a uniquely strong environment for these scams to be effective.  People are anxious for constantly updated and valid information regarding the pandemic. This crisis is particularly ripe for security incidents because COVID-19 has the potential for disruption to both personal activities and businesses. Many company representatives who might otherwise be immune to emails targeting health information are seeking content relevant to supply chain disruption events.  This means that in addition to phishing emails from sites posing as government agencies and health organizations, we can expect to see phishing emails from sites purporting to be delivery companies and/or companies providing information on market conditions.

Phishing is a dangerous form of hacking because it provides an entry point for many types of cyber incidents, including identity theft and delivery of malware onto a victim's computer. This can lead to infiltration of the entire user network associated with the ground zero individual. In turn, this can result in global theft of company data (whether it relates to individual employees and customers or other sensitive corporate information). This can also be the entry point for ransomware attacks.

In fact, Check Point Software Technologies, a leading provider of IT security products and services, reported last week that, since January 2020, there appear to have been more than 4,000 coronavirus-related domains registered globally. Check Point’s researchers believe that approximately three percent of the domains registered are malicious, and an additional five percent appeared suspicious.

The result is an environment in which people are more likely to click on links, even from unknown senders, without first confirming the validity of the sender and the link. In addition, in the 24-hour news cycle environment, it is easier for phishing emails to blend in with the high volume of email traffic, which can also lead to reduced diligence.  Researchers are discovering new campaigns daily, one egregious example being a campaign in the form of a phishing email with a PDF offering coronavirus safety measures. When opened, malware is loaded onto the user’s computer.

Many of these hacks are particularly effective at avoiding traditional firewall protections.  Anxious to stay on top of this information, people often forget to confirm URL validity before accessing sites or opening attachments.  Knowing this, many fraudsters use links to fake maps which appear to track the progress of the pandemic, and to information purporting to come from legitimate and respected health resources. These fake sites contain malware that steals usernames, passwords, credit card information and other data stored in browsers.  In some cases, users are eventually sent to the legitimate site (after providing passwords and other information to the hacker).

Pitfalls to avoid include the following:

• Use common sense – does the sender appear to be a legitimate source of information? Do not click on everything that shows up in your inbox.
• If an email asks you to click on a link or open an attachment, continue to validate first. To do this:
• Scroll over the link to see if the full address is consistent with the sender identifier;
• Check closely for misspellings in the sender name (close to a legitimate name but not quite right);
• Check for odd content in the email (for example, the salutation identifies you as “Dear Ms. L. Smith” instead of “Dear Ms. Smith” or “Dear Lisa”); and
• Do not be embarrassed to call the sender to verify the email came from that person (do not reply to the email). 
• Watch out for links to non-profits asking you to donate in relief. If you want to make a donation, go straight to the non-profit’s website.
• Never click on a link asking you to reset your password. If in doubt, go straight to the website, log in, and use the formal password reset procedure. Similarly, do not provide personal information, including financial information via an email link.
• Implement and use dual authentication protocols. Keep computer systems up to date, including all security protections.
• When in doubt, do not click. It is better in this environment to be overly suspicious.
• Businesses should already be routinely testing their environments and providing security education and training for personnel. This is the time to remind everyone of these protocols.

Michele Cohen is a member of the firm’s Coronavirus Task Force, a cross-disciplinary team that can quickly and efficiently deploy talent from relevant practices to address concerns and issues in real time.

Any opinions expressed and any legal positions asserted in the article are those of the author(s) and do not necessarily reflect the opinions or positions of Miles & Stockbridge P.C. or its other lawyers. This article is for general information purposes and is not intended to be and should not be taken as legal advice on any particular matter. It is not intended to and does not create any attorney-client relationship. Because legal advice must vary with individual circumstances, do not act or refrain from acting on the basis of this article without consulting professional legal counsel. If you would like additional information on the subject matter of this article, please feel free to contact any of the lawyers listed above. If you communicate with us, whether through email or other means, your communication does not establish an attorney-client relationship with either Miles & Stockbridge P.C. or any of the firm's lawyers. At Miles & Stockbridge P.C., an attorney-client relationship can be formed only by personal contact with an individual lawyer, not by email, and requires our agreement to act as your legal counsel together with your execution of a written engagement agreement with Miles & Stockbridge P.C.