“We’re all in this together!” is not a mantra espoused by cyber-criminals, who are seeing Covid-19 as an opportunity to target corporates as well as individuals, since these too are in a more vulnerable position than usual. Emily Cox, a partner in our Media Disputes team, considers what scams are on the rise, what companies can do to mitigate against the risk of infiltration and what they should do if they have been compromised.
There has been an explosion in scams during the pandemic. Action Fraud (the UK’s national fraud and cyber-crime reporting centre) reported a 400% increase in coronavirus-related fraud reports in March alone.
Many of these scams target elderly people and include encouraging them to switch accounts online while bank branches are shut, asking for donations to help the NHS and door-to-door home-testing for Covid-19.
But companies, which are similarly vulnerable to human error, are also being hit. Remote working (with the potential for unmonitored computer systems, out-of-date antivirus software and unsecured Wi-Fi), the use of USB flash drives and the boom in video conferencing all increase the risks compared to usual working conditions. Some companies may also have suspended basic security protocols, such as two-factor authentication, in order to get remote working off the ground quickly.
What types of scams are on the rise?
Three commonly reported scams targeting businesses at this time are:
- Government Job Retention Scheme and grant or tax refund scams
The government’s Job Retention Scheme, by which it is paying 80% of the salaries of furloughed staff, went live on Monday, 20 April 2020. Cifas (the cross-sector fraud prevention association) reported an immediate rise in business owners being targeted by phishing emails purporting to be from HMRC. Businesses are also receiving phishing emails telling them that their cash grant or tax refund application has been processed and asking them to click on a link or download an attachment that infects systems with malware.
- Invoice or mandate scams
Mandate fraud occurs when an employee is deceived into changing a regular payment mandate (such as a direct debit, standing order or bank transfer) when contacted by an individual purporting to be from a supplier or other typical payee. Employees may find it harder, when remote working, to adopt standard security and verification processes to check that the change in instruction is genuine.
- CEO impersonation scams
CEO impersonation fraud takes place when a scam email purporting to be from the CEO or other senior figure in an organisation is sent (typically) to the finance team requesting that an urgent payment is made to a third party. The email is often received when the ‘sender’ is away from the office, making it difficult to check whether or not it is genuine.
The cost of scams
Mandate and CEO impersonation scams result in ‘misdirected’ payments; in other words, the payer sends payment to someone other than intended. Despite the progress made by Which?, the Payment Systems Regulator and industry, with the Authorised Push Payments Code, confirmation of payee checks are still not the norm. The reimbursement of sums by the paying bank will be problematic if the employee fails to take usual verification steps.
Fake HMRC emails (or indeed fake courier or tech support emails) that result in malware infection raise different and potentially more complex issues for companies as cyber-criminals gain access to devices and networks and what is stored on them. Data may be stolen and used or re-sold on the dark web.
A variant of malware is ransomware, by which the compromised data on a target’s computer is locked and payment is demanded before the ransomed data is decrypted and access is returned to the target. Coveware’s Ransomware Marketplace Report indicates that the average length of time a ransomware incident lasted in the first quarter of 2019 was a paralysing 7.3 days.
A data breach costs a company an average of US$3.88m in the UK, according to a 2019 report by IBM Ponemon. This figure is based on interviews with more than 500 companies that experienced recent data breaches. Various cost factors were taken into account by IBM Ponemon for the report, including legal, regulatory and technical activities, loss of brand equity, customer turnover, and the drain on employee mental health and productivity (which is now more of a factor than ever).
What can a company do to protect itself?
There is a raft of advice and resources that have been published to address the rise of scams during the pandemic.
On 20 April 2020, a new cross-governmental Cyber Aware campaign was launched by the National Cyber Security Centre (NCSC), a part of GCHQ, working alongside the Home Office, the Cabinet Office and the Department for Digital, Culture, Media and Sport (DCMS). As part of this, the NCSC has issued separate guidance for large businesses, SMEs, sole traders and the self-employed, and individuals on various topics including the secure use of video conferencing services and mitigating against the risks of malware and ransomware attacks. Top-level tips for large companies include:
- ensuring two-factor authentication is in place;
- making sure software updates are installed;
- affording employees the lowest administration settings possible to ensure that the impact of any phishing incident is limited;
- making regular back-ups, which are kept separate from the company’s network, to mitigate against the risk of malware and ransomware; and
- embedding a culture of stopping, not rushing and verifying any request to make an urgent payment, change supplier bank details, or provide financial information.
The NCSC has also launched the Suspicious Email Reporting Service, co-developed with the City of London Police, to make it easier for corporates and individuals to forward suspicious emails to the NCSC. In its first week after launching, 395 phishing sites were taken down.
Other organisations have launched complementary initiatives: National Trading Standards has launched Businesses Against Scams, with tools to help upskill the workforce; Cifas has published guidance and reports on the latest scams; and Which? has launched a scams alert service.
Companies should make use of these resources, depending on their individual needs and culture, and ensure that the cyber-security message is (re-)disseminated to employees through education and testing. The messaging should be clear that this is training, rather an attempt to catch anyone out, given employee stress levels will be high at this time.
What can a company do when it is faced with a data incident?
If a suspected data incident occurs, a business’ pre-prepared incident response plan should be engaged, which will include the following points (these are, of course, not comprehensive):
- Incident response plan and team
The incident response plan, which may have been varied as a result of the pandemic, will require immediate engagement with identified stakeholders. Different stakeholders (which may include Information Security, Legal, Public Relations and others) have their own distinct responsibilities when an incident has taken place in relation to investigation, damage-limitation, reporting and any post-incident review.
One of the first things to do when there has been a data incident is to decide whether notification is required and if so, to which authorities and (sometimes) individuals. Whether they are in-house or external, best practice is to seek the advice of lawyers to help discern the position on notification, and whether it is necessary. It may be an administratively costly mistake to make a notification that is not required, which sets a regulatory process in train that then needs to be completed. Failure to notify a notifiable breach to the proper entities and individuals in the correct way, and at the right time, exposes organisations to potential enforcement action by regulators.
The Information Commissioner’s Office (ICO) issued new guidance in April that announced a softer regulatory approach to enforcement of data breaches during the current crisis. But it has also said it will take a strong regulatory approach against any organisations breaching data protection laws and taking advantage of the current crisis. Organisations should therefore remain proactive in reporting data breaches, where this is required.
- Reputational issues
Whether a company needs to make formal notifications about a data incident or not, an incident can cause significant reputational damage. As such, the company will need to consider whether to hire a media crisis communications company to deal with potential or actual coverage in the press and on social media.
- The importance of legal professional privilege
When a data incident is being investigated and contained, it is advantageous to a company for many of its communications relating to the incident to be protected from disclosure to third parties and the courts by legal professional privilege. It can only do this through lawyers. Various legal tests are applied to discern whether legal professional privilege should apply to communications, and lawyers can assist companies in navigating through this legal minefield.
Data incidents can, of course, give rise to costly regulatory investigations. The ICO now has the power to impose a fine of up to €20m or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. And claims for compensation may yet dwarf any fine, as the multi-billion pound compensation claim of Lloyd v Google, which is making its way to the Supreme Court, attests. But that is a story for another day. For now, we’re all in this together.
Covid-19 is impacting individuals and companies around the world in an unprecedented way. We have collected insights here to help you navigate the key legal issues you may be facing at this time.
You can find further information regarding our expertise, experience and team on our Media Disputes page.
Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.