While many public and private organisations are protecting their staff and vulnerable members of the community from the Coronavirus (COVID-19) pandemic through social distancing and working from home arrangements, cyber criminals are undoubtedly exploiting the global situation.
Australia’s leading agency on national cyber security, the Australian Cyber Security Centre (ASCS), and the Australian Competition and Consumer Commission’s (ACCC) Scamwatch have recently reported a significant increase in the number of reported COVID-19 themed cyber-attacks, and these numbers continue to rise.
Australian businesses and government agencies should be aware of the heightened risk of cybercrime – and the potential for substantial financial loss, reputational harm, legal exposure, and disruption to business. Now is the time for businesses and government agencies to consider reasonable, practical steps to prevent, and respond to, these risks.
Please note that, as the COVID-19 cyber environment is constantly changing, this article does not cover every instance of cyber vulnerability. Australian businesses and government agencies should regularly consult government guidance on the latest COVID-19 cyber threats. Cybercrime can be reported to the ASCS’s ReportCyber and the ACCC.
Common COVID-19-related cyber threats
- Phishing scams
Cyber criminals are sending phishing emails and SMS messages disguised as reputable organisations (for example, World Health Organisation and health organisations) or government entities, seeking to deceive victims into clicking on malicious links and attachments designed to gain access to their personal, sensitive and financial information.
To increase the appearance of legitimacy, these fraudulent emails are sent from addresses that closely resemble official organisations or entities, often including their well-known trade marks and other imagery.
Often, emails and SMS messages include links to items of interest, such as “COVID-19 Response: 5 Tips for Securing Remote Workplace”, “Coronavirus: New Confirmed Cases in your City” and “updated cases of the coronavirus near you”.
Landing pages for these false links may appear sophisticated and legitimate. However, the websites are often malicious and may be designed to access users’ personal details.
The Office of the Australian Information Commissioner’s (OAIC) reported that phishing scams are the most common cause of notifiable data breaches under the Privacy Act 1988 (Cth). Public and private organisations should ensure that they maintain practices, procedures and systems to mitigate the possibility of a data breach.
- Products claiming to be a vaccine or cure for COVID-19
Individuals have received emails purporting to hail from regional medical providers selling products claiming to treat or prevent COVID-19. The attachments in the emails often contain malware designed to steal the victim’s personal and financial information.
- Investment scams claiming COVID-19 has created opportunities
The Australian Government’s MoneySmart and the ACCC have received reports of scammers trying to steal victim’s information using “investment opportunities” to make your money back from sharemarket losses. Investors should carefully research proposed investment opportunities.
Protect your business from COVID-19 cyber threats
Fighting cyber threats requires a multifaceted defence strategy. The Australian Signals Directorate’s ACSC encourages Australian organisations to remain vigilant and ensure sound cyber security practices, which can be found here.
According to the OAIC’s Notifiable Data Breaches Statistics Report, among the 537 breaches notified from July to December 2019, human error was the second leading cause of data breaches. It is important for businesses to train employees on how to pay close attention to actual or potential cyber threats and act in such situations, particularly as we may see more permanent sustained remote working arrangements post COVID-19.
Taking practical steps will help ensure that your business is well-equipped to proactively plan for and respond to cyber threats. The ability to effectively and swiftly mitigate and respond to cyber risks will enable you to minimise the potential impact of a cyber-attack and allow you focus on running your business.
FAL Lawyers has expertise in privacy and data security. Contact us and we can assist you in identifying ways in which you can take steps to protect your IT assets (including information). For businesses and government agencies, a key issue will be to ensure that your agreements with service providers contain appropriate privacy and data security clauses.
 OAIC, Notifiable Data Breaches scheme 12-month insights report, 13 May 2019, https://www.oaic.gov.au/assets/privacy/notifiable-data-breaches-scheme/statistics/ndb-scheme-12month-insights-report.pdf, page 4.
 Office of the Australian Information Commissioner, Notifiable Data Breaches Report: July-December 2019, 28 February 2020, https://www.oaic.gov.au/assets/privacy/notifiable-data-breaches-scheme/statistics/Notifiable-Data-Breaches-Report-July-December-2019.pdf, pg 3.