Summary

As the Covid-19 Pandemic forces more employees than ever before to work from home (“WFH”), businesses face new and different data privacy and security risks. This change is not lost on U.S. regulators, but it does not mean that businesses will get a pass on data privacy and security issues potentially caused by the shift in working conditions. In an effort to help businesses navigate these new circumstances, BCLP has prepared a series of articles on addressing data privacy and security issues in a WFH environment.

Phishing (not to be confused with the water sport “fishing”) is a type of cyberattack whereby scammers use email or text messages to trick individuals into giving them personal information. Phishing is both common and effective, as it often targets individuals by sending a message that appears to be from a well-known source (i.e. a friend, colleague, or familiar business), looks legitimate (utilizing spoofed logos and fake email addresses), and may claim to be urgent. Remote workforces are even more vulnerable to phishing because employees are dispersed and have fewer lines of direct communication through which they can confirm unanticipated or suspicious messages.

In anticipation of this increased threat, employers managing a remote workforce should implement additional policies and trainings that focus on identifying, combating, and responding to a phishing attack when working from home. Among other things, employers should consider the following advice from the FTC: ^[1]

How to Identify a Phishing Scheme

1. Train employees to look up hyperlinks and phone numbers before they click or call. Employees should always try to make sure that they are not about to download malware or talk to a scammer.
2. Make it standard procedure to send any unusual email to IT before responding or clicking. If the company does not have an IT team, designate a contact that can screen emails when needed. Employers and employees should understand that it is better to be cautious than to provide a quick response.
3. Explain to employees that, in the event they receive an unanticipated message from someone they know requesting information, they should first use pre-existing contact information to confirm the message’s authenticity.

How to Combat Phishing Schemes:

1. Phishing attacks can lead to ransomware attacks leveraging compromised credentials, so regularly back up company data so that it can be restored in the event a phishing attack leads to a ransomware incident.
2. Keep all security software up to date by installing the latest patches and updates. Consider investing in email authentication and intrusion prevention software.
3. Train your employees! The more your employees know, the more likely they are to recognize a phishing scheme. Employers should collect and share examples of phishing attempts to increase awareness of what an attack may look like.
4. Phishing attacks often happen to more than one person in a company. Supervisors who are made aware of a phishing attempt should warn other employees to watch out for a similar message.

What to do if an employee falls for a phishing scheme

1. Instruct employees to immediately inform their supervisor if they suspect they have been phished.
2. Change any compromised passwords and disconnect from any network any device that may have been infected with malware.
3. If the phishing resulted in exposed email credentials, check for “rules” that may have been set up by the threat actor (g., auto-forwarding, or auto-filing rules).
4. Engage the company’s incident response protocol.

This article is part of a multi-part series published by BCLP to help companies understand and cope with data security and privacy issues impacted by the Covid-19 Pandemic. You can find more information on specific data privacy and security issues in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

^[1] https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity/phishing; https://www.ftc.gov/news-events/media-resources/identity-theft-and-data-security/phishing-scams; https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams.