The Cybercrime Pandemic
COVID-19 Crisis Results in Perfect Storm for Cybercriminals
by David Lee, Director, Aon Attorneys Advantage
“It’s just easier, frankly, to hack a remote user than it is someone sitting inside their office environment.”
Tom Kellermann, Cybersecurity Strategist, VMware, Inc.1
Although Rhode Island Governor Gina Raimond began lifting stay-at-home orders on May 8, 2020, like a lot of attorneys, Frank Whitman is still working from home. He sits down at his computer and opens Outlook. The first email that catches his eye is from the Centers for Disease Control (CDC).
In an official looking notice using the CDC logo he reads:
“We have been informed that you have been in contact with a patient at Rhode Island Hospital that has tested positive for COVID-19. To prevent further spread of the virus, you must immediately go to the CDC portal to schedule a coronavirus test…”
Upset, sweat beginning to bead on his forehead, Frank clicks on the link. Gotcha!
Frank just fell victim to the cybercrime pandemic. His computer system has been hacked.2
Frank fell prey to the most common form of cybercrime, a phishing email. A soon as he clicked the link within the email his computer was infected with some form of malware. Frank may not even be aware of the intrusion. In the background, a bad actor is copying his client files and preparing to sell them on the dark web.
Roughly one-half of all email is spam, and 73% of all spam is malicious
Well-educated professionals, including lawyers, click on links in phishing emails constantly. This is the #1 cyber threat facing all businesses, and law firms are no exception.
Instead of selling Frank’s data, the cybercriminal may have inserted ransomware into his computer that encrypts his files prohibiting access. Frank will receive an email stating he can kiss his files goodbye unless he wires a ransom in bitcoins, usually to an offshore bank account.
- 18% of cyberattacks attacks in 2019 involved ransomware
- Between February and March of 2020, ransomware attacks increased by 148%
- The average ransom cost to release files: $84,1164
The coronavirus is causing more than physical harm. It’s inflicting severe financial harm.
Experts predict cybercrime damage costs could potentially double during the crisis.5
While Americans grapple with stay-at-home orders, cybercriminals have been extremely active. The most common coronavirus-related phishing attacks involve:6
- Fraudulent e-commerce sites for N95 masks, hand sanitizers and test kits
- Spoofing government and health organization communications
- Phony advertisements for vaccines and miracle cures
- Fake charity sites and employment offers
- Schemes for getting government assistance checks quicker
During the first three months of 2020, the U.S. Federal Trade Commission states these types of cyber scams cost Americans $13.44 million.7
Those are only the attacks reported to the FTC. Many more go unreported and may go undiscovered for months.
You may avoid a phishing email only to fall prey to a ‘watering hole’ attack. Of the 300,000 global websites related to the coronavirus launched since January 9, approximately one-third have been declared 'malicious.'8
You think you are visiting the CDC, WHO or another legitimate site seeking information, but instead a bad actor has just planted malware in your system.
Hackers are using stay-at-home orders to exploit remote vulnerabilities.
Social distancing and stay-at-home orders have triggered the largest work-from-home effort in history.
Think that you are safe working from home because you use a virtual private network (VPN) or the cloud? Unfortunately, IT experts report a VPN and the cloud are not bullet proof.9, 10
With many Americans using their own personal devices, they simply don’t have the same protections as their office equipment.
The FBI warned on April 1 that cybercriminals are specifically targeting businesses working from home during the COVID-19 pandemic. The alert states:
“The COVID-19 pandemic has led to a spike in businesses teleworking to communicate and share information over the internet. With this knowledge, malicious cyber actors are looking for ways to exploit telework software vulnerabilities in order to obtain sensitive information, eavesdrop on conference calls or virtual meetings, or conduct other malicious activities.”11
Cybersecurity experts agreed that the current situation presents a broad range of vulnerabilities that cybercriminals can exploit. For example, the video conferencing platform Zoom, has added millions of users in recent months, but people often overlook its security features in favor of ease-of-use features, leaving themselves exposed.12
Unless you are an IT expert, while working from home your login credentials and confidential client data may become exposed to cybercriminals. Hackers are far more tech savvy than the general population. Some even use sophisticated artificial intelligence programs to roam the net searching for vulnerable systems.
Law firms provide a target rich environment for cybercriminals.
For attorneys, the potential fallout is more dire than having your Social Security number or credit card stolen. The assets cybercriminals want to get their fingers on are your login credentials and confidential client files.
Think about personal client information stored on your system. It could involve intellectual property, banking information or real estate. What if the information in your possession protected by client-attorney privilege was suddenly posted publicly? What would that do to your reputation?
While many attorneys may feel they are immune to cyberattacks, that’s simply not the case. Stories abound about how hackers have used social engineering to infiltrate law firms. They’ve become so commonplace you may even know someone personally affected.
Social engineering attacks take time and finesse. The quickest way for cybercriminals to cash in on your firm is to sell the data they’ve been able to steal on the dark web. A recent article published by Aon, The Dark Web Secrets Of Law Firms
“Dark web auctions that sell backdoor access to law firm servers have perhaps become the most
unconventional threat to the sacred attorney-client privilege. For less than $10,000, a bad actor can often purchase rights on the dark web to explore files on a hacked firm’s network that may include internal memorandums, client e-mails, and other confidential work products.
“Another area of concern is the commonplace existence of compromised credentials on the dark web that can be leveraged by bad actors to potentially access law firm networks. Cursory dark web searches performed by Aon in March 2020 revealed tens of thousands of usernames and passwords belonging to attorneys of leading global firms whose credentials were compromised...”13
Once client data is compromised, it can become a virtual nightmare and have adverse effects on your mental well-being, reputation, and finances.
How can Rhode Island Bar members help protect their firm?
You can hire a cybersecurity expert and create a risk mitigation plan, but with the software used by cybercriminals changing so rapidly, it may be outdated by the time you hit ‘print.’ Cyber insurance that includes risk mitigation tools like 24/7 monitoring is your best defense.
The monitoring service will help mitigate losses and if a breach does occur the cyber insurance will protect the law firm from devastating financial loss. Another added benefit is that the carrier’s claim team will deal with the response allowing the attorneys to focus on their clients.
With the COVID-19 pandemic heightening the risks for law firms of all sizes, now would be a good time to get a cyber risk assessment. Basic actions like a cybersecurity assessment can reduce your exposure by 80%.14
You can receive a free assessment from Aon CyberBusinessProSM
by visiting www.aoncyberAA.com
and receiving a cyber insurance quote.15
1Joseph Menn, “Hacking against corporations surges as workers take computers home,” Reuters, April 17, 2020.
2Frank Whitman is a fictional character created for illustrative purposes.
3Spamlaws.com, Spam Statistics and Facts, 2018.
4Nathaniel Popper, “Ransomware Attacks Grow, Crippling Cities and Businesses,” New York Times, February 9, 2020.
5“Cybercrime Will Cost the World US$6 Trillion by the End of the Year: Study,” CISOMAG, March 23, 2020.
6”Scammers Prey on Coronavirus Outbreak,” IdentityForce, March 13, 2020.
7Paul Witt, “OVID-19 scam reports, by the numbers,” Federal Trade Commission, April 15, 2020.
8Jonathan Jones, “One in three coronavirus-related websites is fraudulent, study finds,” The Telegraph, April 26, 2020.
9Tony Howlett, “VPNs continue to be a popular vector for cyberattacks,” Security Boulevard, February 28, 2020.
10Naveen Goud, “Data in Cloud is more exposed to Cyber Attacks than in organizations,” Cybersecurity Insider, 2020.
11Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments,” Federal Bureau of Investigation, April 1, 2020.
12Zak Doffman, “New Zoom Security Warning: Your Video Calls at Risk from Hackers,” Forbes, January 28, 2020
13”The Dark Web Secrets of Law Firms,” Aon, March 2020.
14“29 Must-know Cybersecurity Statistics for 2020, Cyber Observer, 2020.
15Your law firm must have an external website to receive a Cyber Risk Assessment with your quote.
Aon CyberBusinessProSM is a service mark of Aon Corporation. Coalition, Inc. is the exclusive administrator.
This document provides summary information only. Insurance coverage is subject to specific terms, limitations and exclusions, and may not be available in all states.
Aon Affinity is a licensed insurance producer in all states (TX 13695), (AR 100106022); operating in CA & MN, AIS Affinity Insurance Agency, Inc. (CA 0795465); in OK, AIS Affinity Insurance Services Inc.; in CA, Aon Affinity Insurance Services, Inc. (CA 0G94493), Aon Direct Insurance Administrators and Berkely Insurance Agency; and in NY, AIS Affinity Insurance Agency.