Guide to Cybersecurity in the time of COVID-19

A guide to staying safe online during a global pandemic

This guide covers some of the emerging threats due to the mainstream adoption of remote work, school, and socializing following the worldwide stay-at-home orders. A number of new scams, phishing attacks, and misinformation campaigns have also launched to take advantage of the COVID-19 fallout. This guide contains information about how to stay safe and includes resources to take action and increase personal cybersecurity.

The coronavirus pandemic and its resulting disease, COVID-19, have dominated every aspect of our global society for weeks. Our entire lives are seen through the lens of this surreal experience. News, social media, and human-to-human conversation, what there is left of it, always contains some reflection of the Coronavirus.

As we come to terms with and even embrace the steps necessary to protect ourselves from this virus, we must also be cognizant of the ancillary threats that accompany every disaster. Lurking in the shadows of our society are those individuals, often scheming with like-minded miscreants, who relish the opportunity to leverage fear and confusion for their gain.

This guide is designed to bring into focus those threats that have risen along with the Coronavirus and to provide resources for avoiding and mitigating dangers. As the events of this pandemic are unprecedented in the lives of those of us experiencing it now, we can expect new and unforeseen threats to yet arise. As new threats emerge or as new resources for avoiding and mitigating these risks come to light, we will update this guide accordingly.

Security when working or studying from home

With the notable exception of first responders and other essential service providers, nearly everyone is under a stay-at-home order. Some are able to work from home, others attend virtual classes, and unfortunately, some people’s lives are simply on hold until the Coronavirus recedes.

Regardless of their circumstances, nearly everyone is spending additional time online. Connecting from home, often using personal devices for business purposes, brings with it significant security challenges. Learning to use unfamiliar software applications for work, school, or just provide a diversion from the tedium of being locked down introduces new and heightened risks.

A more comprehensive guide about personal security tactics as a remote student or online learner can be found in our student guide to internet safety.

Virtual meeting security

Advances in the information technologies used for telecommuting propelled a meteoric rise in the adoption of virtual meetings well before those lucky enough retain their job during today’s pandemic were forced to work from home.

In the wake of COVID-19, many news outlets have found it convenient to tout the security risks associated with popular virtual meeting platforms. The truth is, however, that more than software vulnerabilities, recent work from home orders have exposed a need for additional security awareness and training. Virtual meeting software developers can always improve their products, to be sure, but users hold the key to better virtual meeting security.

Preventing eavesdropping on virtual meetings and classrooms

Unwanted visitors in a virtual environment is a significant source of concern. Without the luxury of gathering groups of workers together in person any longer, all manner of sensitive information must now be discussed in virtual meetings.

The practice of crashing a virtual meeting or class has given rise to an addition to our popular lexicon. Taking its name from a few incidents involving the popular virtual meeting platform, Zoom, the term Zoom bombing has come to define the act of disrupting a meeting to which you were not invited. The malicious intent of Zoom bombing is to disrupt using insults, racial slurs, and profanity.

Poor security practices create the risk of a meeting falling victim to Zoom bombing. Practices such as the use of social media to post the login credentials needed to join a virtual meeting make it easy for anyone disposed to create mayhem to join the meeting or class.

Sometimes the intent of the bad actor is more malicious than simple disruption. If sensitive information is being discussed, there is a danger of an uninvited guest accessing the virtual event for eavesdropping to gather information that can be used in a malicious campaign. The hazards of Zoom bombing and eavesdropping must be mitigated, and the following steps will help.

Follow prescribed policies for virtual meeting security. Security is almost always at odds with convenience. When working with an unfamiliar software tool, there can be a tendency to meet the basic operational requirements and worry about security issues later. Many of the recent security issues related to virtual meetings could have been avoided with adherence to the organization’s security policies.

Each meeting should have a unique access code. If the platform has provision for each user to have a unique access code, that should be the policy. Reusing a previous access code or launching a meeting that does not require an access code is an invitation for eavesdropping. The absence or reuse of access codes should only be considered if there is no chance of sensitive information being discussed.

Use a “green room” or “waiting room” and don’t allow the meeting to begin until the host joins. The host should be required to allow admittance to the meeting for each attendee.

Don’t record the meeting unless it’s necessary.

Disable features you don’t need (like chat, file sharing, or screen sharing).

Do not distribute login credentials using publicly accessible social media platforms.

Consider using a PIN to prevent someone from crashing your meeting by guessing your URL or meeting ID.

Limit who can share their screen to avoid any unwanted or unexpected images. And before anyone shares their screen, remind them not to share sensitive information inadvertently.

Malware and virtual meeting tools

Introducing malware to a victim’s computer via a virtual meeting platform requires much more determination and a higher skill level than does simple Zoom bombing, but it can be done. For this type of attack, there is nothing inherently riskier about virtual meeting platforms than with any other software. The risk presents as an unfounded trust of others in the same virtual meeting.

The prohibition of clicking on a link from an unknown or untrustworthy source is cyber-hygiene 101. Even children are taught the dangers of this type of behavior. But what if that link comes to a user in the chat panel of a virtual meeting platform? The natural assumption is that the other attendees in that meeting or class can be trusted, at least to some degree.

Some incidents have been reported where unknown and unwelcome bad actors have obtained login credentials to attend virtual meetings and then sent malicious links to other attendees using the platform’s chat function. Users must always keep their guard up. When in doubt, do not click an unsolicited link, even if coming from someone inside a virtual meeting.

Learn more about cybersecurity for small business owners trying to operate remotely in our cybersecurity for small business guide.

Protecting children from online predators

The FBI has warned that children who are home from school and spending more time online may be at increased risk for exploitation. Due to this newly developing environment, the FBI is seeking to warn parents, educators, caregivers, and children about the dangers of online sexual exploitation and signs of child abuse.

Parents and guardians can take the following measures to help educate and prevent children from becoming victims of child predators and sexual exploitation during this time of national emergency:

Online child exploitation

Discuss Internet safety with children of all ages when they engage in online activity.

Review and approve games and apps before they are downloaded.

Make sure privacy settings are set to the strictest level possible for online gaming systems and electronic devices.

Monitor your children’s use of the Internet; keep electronic devices in an open, common room of the house.

Check your children’s profiles and what they post online.

Explain to your children that images posted online will be permanently on the internet.

Make sure children know that anyone who asks a child to engage in sexually explicit activity online should be reported to a parent, guardian, or other trusted adult and law enforcement.

Remember that victims should not be afraid to tell law enforcement if they are sexually exploited. It is not a crime for a child to send sexually explicit images to someone if they are compelled or coerced to do so.

Protecting privacy and data

The rules for protecting data are ever-changing. People were getting used to the idea of governments taking a real interest in protecting their data, then COVID-19 came along and changed all that.

As the health and economic effects of the Coronavirus force themselves onto the political and policymaking landscape, there is a great reshuffling of societal priorities, including the importance of data privacy, taking place. “Lives over privacy” is the emerging mantra. While it’s hard to argue against such a position, it is certainly something that should be observed carefully to ensure that as society lurches along trying to find our new normal, the idea of protecting personal privacy does not permanently diminish.

Of concern to many is the current discussion about using cell phone data to track the movement and location of individuals. This data could be useful in monitoring the spread of the COVID-19 disease and notifying people that may have come in contact with someone found to have been infected. Cell phone location data could also be useful in determining when dangerous congregating behavior is being displayed.

Once that metaphoric genie has been let out of the bottle, how difficult will it be to get it back in? Even for people that subscribe to the “if you’re not doing anything wrong, what difference does it make what data the government collects about you?” argument are unnerved with the thought of laying bare their physical location and movement history. But, once governments and tech titans are allowed to gather and integrate new forms of data about people, will they give it up, or will they find another reason to continue tracking once this current emergency has dissipated?

The US does not have a single office tasked with data privacy issues nation-wide. Still, government agencies are altering privacy standards to deal with the coronavirus outbreak. Recently, the Department of Health and Human Services said it was waiving penalties for violations related to health data privacy standards so more doctors could video chat with patients.

The California attorney general’s office has said it would start enforcing the California Consumer Privacy Act (CCPA) by July 1, 2020. Still, already a group of 34 trade organizations has asked the office to postpone it until January 2, 2021. Presumably, this is another indication that companies have reprioritized data privacy.

The Trump administration has been in discussions with major tech companies on how it can use their data to track the coronavirus outbreak, similar to measures that China and South Korea have taken.

In a statement to CNET, Google said it was “exploring ways that aggregated anonymized location information could help in the fight against COVID-19.”

A Facebook spokeswoman said that the company has been briefing the Centers for Disease Control and Prevention on how it creates de-identified data maps to help researchers track diseases but hasn’t provided any data to the government.

In addition to how Personally Identifiable Information (PII) is protected, and the use of cell phones for tracking people, the rules about health care information may also be in flux. In the US, employers must balance the requirement to keep employee health information confidential, as required by the Health Insurance Portability and Accountability Act (HIPAA), all the while maintaining a safe worksite in compliance with the Occupational Safety and Health Act (OSH Act).

“The uncertainty associated with the Coronavirus may motivate employers to ask employees about their medical conditions. We caution employers to remember that inquiries about an employee’s disability status are limited,” wrote attorney Carrie B. Cherveny, senior vice president for strategic client solutions and compliance and Mingee Kim, senior vice president and certified leave management specialist at Hub International.

“In a nutshell, if the employer learns of the employee’s medical information, condition, diagnosis, etc., through the health plan, then that information is likely protected under HIPAA,” they noted. “Employers may make disability-related inquiries and require medical examinations only if inquiries and examinations are ‘job-related and consistent with business necessity.’ “

Financial scams

We live in a world where the adversaries of decency see any tragedy, emergency, fear, or confusion as an opportunity for personal or political gain. Scammers have seemed to materialize right from the very woodwork of our society to capitalize on this pandemic. Their ploys and cons are, in most cases, just refurbished versions of what has been used in the past but presented with a fresh COVID-19 paint job.

The three modern-day adages of never click an unsolicited link, don’t trust emails or text messages from unknown sources, and if it seems to be too good to be true, it probably is (too good to be true) will go a long way toward avoiding becoming victim to scammers.

COVID-19 email scams

Unsolicited emails that prompt users to click on an attachment should always be deleted without further interaction. Security professionals have touted this precaution for decades, but these classic email phishing scams still lure unsuspecting users into downloading malicious items and giving up their login information every day.

With the news that the US Government is sending payments of up to $1,200 in coronavirus relief to taxpayers, the FBI recently issued a warning to be on alert for attackers masquerading as the agency and asking for personal information supposedly to receive your check. “While talk of economic stimulus checks has been in the news cycle, government agencies are not sending unsolicited emails seeking your private information to send you money,” the warning said.

Common email scams that are currently circulating the world today are:

CDC alerts. Cybercriminals have sent phishing emails designed to look like they’re from the U.S. Centers for Disease Control. The email might falsely claim to link to a list of coronavirus cases in your area. “You are immediately advised to go through the cases above for safety hazards,” the text of one phishing email reads.
Health advice emails. Phishers have sent emails that offer purported medical advice to help protect you against the Coronavirus. The emails might claim to be from medical experts near Wuhan, China, where the coronavirus outbreak began. “This little measure can save you,” one phishing email says. “Use the link below to download Safety Measures.”
Workplace policy emails. Cybercriminals have targeted employees’ workplace email accounts. One phishing email begins, “All, Due to the coronavirus outbreak, [company name] is actively taking safety precautions by instituting a Communicable Disease Management Policy.” If you click on the fake company policy, you’ll download malicious software.

Here are some tips to avoid getting tricked:

Beware of online requests for personal information. A coronavirus-themed email that seeks personal information like your Social Security number or login information is a phishing scam. Legitimate government agencies won’t ask for that information. Never respond to the email with your personal data.

Check the email address or link. You can inspect a link by hovering your mouse button over the URL to see where it leads. Sometimes, it’s obvious the web address is not legitimate. But keep in mind phishers can create links that closely resemble legitimate addresses. Delete the email.

Watch for spelling and grammatical mistakes. If an email includes spelling, punctuation, and grammar errors, it’s likely a sign you’ve received a phishing email. Delete it.

Look for generic greetings. Phishing emails are unlikely to use your name. Greetings like “Dear sir or madam” signal an email is not legitimate.

Avoid emails that insist you act now. Phishing emails often try to create a sense of urgency or demand immediate action. The goal is to get you to click on a link and provide personal information — right now. Instead, delete the message.

COVID-19 website scams

New data from security firm Tessian found that 673 domains related to the $2T stimulus package have been registered since the US government announced on March 19 it would issue checks.

The domains use common questions or keywords (such as whereismystimuluscheck.com or covid-19-stimulus.com), banking on the fact that many people will prioritize convenience over security while seeking out stimulus information.

Key findings from Tessian’s analysis (Domains registered between March 17-April 13 2020)

25% of the stimulus-related domains were educational, featuring expert resources such as consultants, lawyers or blogs to help with paperwork

10% of the domains offered a calculator tool for citizens to enter details to determine their eligibility to receive the stimulus check, which may require them entering their salary, address or other personal information

7% of the domains were spam websites with no clear call to action

7% of the domains were aimed at giving people the opportunity to donate their check to a COVID-19 related cause

7% of the domains offered loans to businesses as they weather the pandemic

Trusted sources

The FBI has reported a global increase in malicious cyber activity exploiting fear derived from the COVID-19 pandemic. Included in this increase are targeted email phishing attempts against US-based medical providers.

These attempts leveraged email subject lines and content related to COVID-19 to distribute malicious attachments. An FBI April 15, 2020 press release said, “the COVID-19 pandemic provides criminal opportunities on a scale likely to dwarf anything seen before. The speed at which criminals are devising, and executing their schemes is truly breathtaking.”

Other FBI COVID-19 related warnings can be found here:

The US Federal Trade Commission (FTC) warns that scammers are taking advantage of fears surrounding the coronavirus. They offer these specific steps to avoid these emerging scams:

Do not respond to texts, emails, or calls about checks from the government.
Ignore online offers for vaccinations and home test kits. There are no products proven to treat or prevent COVID-19 at this time.
Hang up on robocalls. Scammers are using illegal robocalls to pitch everything from low-priced health insurance to work-at-home schemes.
Watch for emails claiming to be from the CDC or WHO. Use sites like coronavirus.gov and usa.gov/coronavirus to get the latest information. And don’t click on links from sources you don’t know.
Do your homework when it comes to donations. Never donate in cash, by gift card, or by wiring money.

Additional resources

Many Federal agencies and trusted businesses are regularly posting current information on their websites to keep citizens well informed. Companies and individuals should proactively find the information required to make informed decisions by reviewing trusted government and business websites and other resources rather than trusting unsolicited information from unknown sources.

Relevant and interesting FTC Blog Posts addressing current coronavirus scams:

Recordings of Scammer Calls About the Coronavirus:

Other trusted resources can include:

This guide was last updated in April 2020. To learn more about personal cybersecurity, please check out our resources section. LEARN MORE.