What is phishing?

To lure individuals into a phishing scam, cybercriminals often pose as well-known organisations to gain the reader's trust. These emails often look legitimate and employ language aimed at encouraging readers to take immediate action for example, by clicking the contained link or attachment.

Once a user clicks the link or attachment, the cybercriminal can then capture any information entered by the individual. This information then allows the cybercriminal to undertake criminal activity including identity theft and stealing from the user's bank accounts.

What does COVID-19 have in store?

It is likely that phishing scams will be conducted under the guise of trusted health organisations such as the World Health Organisation and government agencies such as the Australian Government Department of Health or their state-based equivalent.

As media coverage on the outbreak continues, it is likely these cybercriminals will attempt to lure individuals by:

1. posing as a source for further information about the outbreak;
2. identifying the person as having had contact with someone who has COVID-19;
3. pretending to provide access to an update on the government's policy;
4. identifying the person as the potential recipient of a government subsidy; or
5. ironically, imitating a large organisation claiming to have been the victim of a cyber breach which requires members to update sensitive details.

What can you do?

1. Do not open attachments or links received via email, text or social media relating to COVID-19. Instead, visit government websites directly to monitor updates on the outbreak and changes in public policy.
2. Do not respond to any emails by entering personal details.
3. Develop and implement a cyber security incidents response plan.
4. Review your cyber insurance (if you have it) to make sure you understand the cover available, whether that will respond to working from home and conditions that need to be complied with.
5. Implement preventative technologies and processes such as dual factor identity authentication. This limits cybercriminals' ability to access systems and sensitive information.
6. Make sure that remote work devices are secure.
7. Implement internal policies that regulate data usage and protection and place accountability with all employees.
8. Train employees so that they are familiar with your workplace policies and standards. Ensure your employees understand how to detect a scam and how to properly respond. It is important that your employees appreciate that adequate cyber risk protection is a company-wide responsibility that cannot rest only with the board or appointed individuals.
9. If you are a director of a company, familiarise yourself with your obligations as a director noting that directors will continue to come under increased scrutiny in relation to cyber risk.  Arrange for your Board to obtain appropriate training including in order to understand the extent to which directors can rely upon the advice of others within their organisation to be monitoring and reporting to the Board on cyber risk.
10. Make sure that processes are in place to meet mandatory reporting obligations in the event of a cyberattack.

Where can you go for further guidance?

1. the drafting of internal policies to regulate data usage and protection and place accountability with all employees;
2. training employees so that they are familiar with your workplace policies and standards;
3. Board advisory services to ensure that Boards and key stakeholders are aware of their duties and obligations at law.