Gabriela Kennedy, Partner, and Cheng Hau Yeo, Associate, Mayer Brown, offer legal strategies for addressing coronavirus phishing scams in Hong Kong.
As COVID-19 spreads around the world, so are phishing scams or the infection of computer systems with malware through phishing emails and websites that appear to be related to the coronavirus. These phishing scams are spreading fast across the world and capitalise on the widespread panic that seems to have gripped the general public. In the face of this new emerging cyber threat, it is crucial that businesses are aware of the risks they face and implement the necessary cybersecurity safeguards.
How do coronavirus phishing scams work?
Coronavirus-related phishing scams take different forms and use different mediums. One of the most common forms is the use of phishing emails. For example, cybercriminals impersonating medical experts such as virologists or officials from the World Health Organisation have been sending phishing emails containing malicious links or attachments which purport to provide information on how to protect oneself from the coronavirus. Unsuspecting users who click on the links or access the attachments open their systems to a malware attack, which may result in the infiltration of the connected network, theft of personal information or the entire system being rendered inoperative.
Another very common form of phishing takes place when fraudulent websites containing malicious links are set up. Such websites clone the websites of well-known organisations (for example, a healthcare company or a government website). These websites may then contain a link to a downloadable file, which purports to contain useful information relating to the coronavirus but instead contains malicious codes. Phishing websites may also trick users into providing certain personal or confidential data in return for information or useful items related to the coronavirus (for example face masks). The types of user data commonly targeted include ID numbers, banking information, credit card details, account passwords or any other types of data which may facilitate identity theft. The stolen data is typically traded or sold on the dark web. It appears that the number of coronavirus-related phishing websites is increasing: research conducted by Check Point Research revealed a recent surge in the number of registrations of domain names associated with the coronavirus. If in doubt, check the domain name for the fraudulent website and you will immediately spot a misspelling of the domain name for the official website.
Phishing through social media has also been on the rise. As with fake websites, it is very easy to create accounts on social media platforms, such as Facebook, Instagram and Twitter, impersonating well-known organisations or individuals. These phishing accounts are used to trick users into performing a particular action (for example providing personal or confidential data or downloading files containing malicious codes, or providing endorsements and likes, thus duping more people). Given the rising fear over the coronavirus and the way social media posts tend to go viral, social media phishing scams pose a serious threat to the public as they have the potential to reach a large number of individuals within a relatively short period of time.
In an organisational context, where an employee accesses a malicious link or attachment on a company system through any of these phishing methods, the malware infecting that system may subsequently spread to other systems sharing the same corporate network. Ransomware attacks, which are increasingly faced by many organisations, may also be conducted through a coronavirus-related phishing scam. A phishing scam may have far-reaching consequences for an organisation, such as data exfiltration and company operations being affected, as well as significant tangible and intangible costs.
Potential legal and regulatory issues
Coronavirus-related phishing scams raise several legal and regulatory issues for businesses in Hong Kong. While Hong Kong currently does not have any overarching cybersecurity legislation, the Personal Data (Privacy) Ordinance (PDPO) and guidelines issued by the Privacy Commissioner for Personal Data (PCPD) will come into play if such scams involve the loss of personal data.
Under Data Protection Principle 4 of the PDPO (DPP4), data users are required to take all practicable steps to ensure that personal data held by them is protected from unauthorised or accidental access, processing, erasure or use. Where a data breach occurs, the data user may be in breach of DPP4 if the PCPD considers the data user to have failed to take ‘all practicable steps’ to safeguard the personal data. Relevant factors that affect the PCPD’s analysis include the type of data involved and level of harm to data subjects that may result, in the event of a breach. If a data user is found to be in breach of DPP4, the PCPD may commence an investigation and issue an enforcement notice requiring corrective measures to be taken. Any non-compliance with such notice would constitute an offence. While there is no mandatory obligation to notify the PCPD of any data breach, the PCPD recommends that data users provide voluntary notification as soon as possible and preserve all evidence related to the breach to facilitate future investigation and remedial actions.
Additionally, regulatory bodies such as the Securities and Futures Commission, the Hong Kong Monetary Authority (HKMA) and the Insurance Authority (IA) have published guidelines or circulars relating to cybersecurity. The HKMA requires authorised institutions to evaluate their cybersecurity controls with reference to new cyber threats (this may include coronavirus-related phishing scams) on a regular basis and submit periodic reports with respect to any cybersecurity risk identified. The regulatory bodies have also issued guidelines on the reporting of cybersecurity incidents. For example, the IA requires authorised insurers to report any cybersecurity incident within 72 hours of detection of the incident. Failure to comply with these guidelines may affect the regulatory body’s assessment of whether the regulated entity is ‘fit and proper’ and may possibly lead to disciplinary actions being taken.
When it comes to cybersecurity, prevention is invariably better than cure. Organisations should take preventive measures to stop cybercriminals from infiltrating their systems in the first place. Examples of such preventive measures include providing employees with specific training and guidance on coronavirus-related scams. These training sessions may provide employees with guidance on identifying potential coronavirus-related phishing websites or emails and educate employees on the risks of opening unidentified links or attachments. Simulations of coronavirus-related phishing attacks may also be conducted to ensure that employees are well-equipped to identify and deal with such cyber incidents. Employees should also be encouraged to promptly report any suspicious phishing activities in order to allow for the necessary actions to be taken in the first instance.
Putting a greater emphasis on maintaining robust cybersecurity controls will also go a long way towards detecting and deterring such phishing threats. Organisations may employ various measures, such as regular audits, continuous review of intrusions, timely updates of antivirus software and stronger access controls, to reduce their vulnerability to cyberattacks.
Organisations should also put in place a response plan in the event of a cyberattack. This would facilitate a swift and effective response to a cyber incident and demonstrate the organisation’s good-faith compliance with the relevant laws and regulations should the PCPD or other regulators subsequently initiate an investigation of the incident. In light of the increase in the number of coronavirus-related scams, an organisation’s response plans may be tailored to take into account any specific features of such scams.
Organisations may also consider reaching out to the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), which may provide advice on recent scams as well as assist with the formulation of a suitable response strategy. It is also increasingly common and important for businesses to take out cybersecurity insurance to mitigate the potential financial impact from a data breach, especially for businesses that are heavily exposed to such cyber risks.
Finally, organisations may consider putting in place a domain name watch to monitor any suspicious registrations of domain names that may be used to redirect to fake websites. Typically, these would be domain names that are a variation of the official domain name of an organisation, for example ‘mayorbrown.com’ vs ‘mayerbrown.com’.
Individuals should also be alert to phishing scams and take measures to ensure that they do not fall prey to these scams. One of the most important steps is to learn how to identify a phishing website (see ‘Identifying a phishing website: some basic checks’).
When in doubt, individuals may also check the organisation’s official website or social media page to see if it has released any announcements regarding phishing activities. Other measures individuals may take to prevent phishing scams include being kept informed about any new phishing methods being used, installing anti-phishing toolbars on their Internet browsers and checking their online accounts regularly for any unauthorised access.
No organisation is immune to cyberattacks. As the general fear of the coronavirus epidemic grows, the threat of coronavirus-related phishing scams is likely to become increasingly significant. Therefore, both companies and individuals in Hong Kong should take the appropriate precautionary measures to ensure they are well-placed to identify and deal with such cyber threats when they do occur.
Gabriela Kennedy, Partner, and Cheng Hau Yeo, Associate
Copyright: Mayer Brown
SIDEBAR: Identifying a phishing website: some basic checks
- Check the URL and look for any red flags (for example ensuring that the spelling of the web address and top level domain name is correct).
- Be wary of any URL which redirects you to a different website with a highly similar design (that is a phishing website) instead.
- Review the website content and identify any irregularities that would not be expected to be found in the website of a well-known organisation (for example spelling errors, grammatical errors, low resolution images, etc).