閱讀中文版本

By Gabriela Kennedy and Cheng Hau Yeo from law firm Mayer Brown

As COVID-19 or ?coronavirus? spreads around the world, so are phishing scams or the infection of computer systems with malware through phishing emails and websites that appear to be related to the coronavirus.

These phishing scams are spreading fast across the world and capitalise on the widespread panic that seems to have gripped the general public. In the face of this new emerging cyber threat, it is crucial that businesses are aware of the risks they face and implement the necessary cybersecurity safeguards.

How do coronavirus phishing scams work?

Coronavirus-related phishing scams take different forms and use different mediums. One of the most common forms is the use of phishing emails. For example, cybercriminals impersonating medical experts such as virologists or officials from the World Health Organisation have been sending phishing emails containing malicious links or attachments which purport to provide information on how to protect oneself from the coronavirus.

Unsuspecting users who click on the links or access the attachments open their systems to a malware attack which may result in the infiltration of the connected network, theft of personal information or the entire system being rendered inoperative.

Another very common form of phishing takes place when fraudulent websites containing malicious links are set up. Such websites clone the websites of well-known organisations (for example, a healthcare company or a government website). These websites may then contain a link to a downloadable file, which purports to contain useful information relating to the coronavirus but instead contains malicious codes.

Phishing websites may also trick users into providing certain personal or confidential data in return for information or useful items related to the coronavirus (e.g. face masks). The types of user data commonly targeted include ID numbers, banking information, credit card details, account passwords or any other types of data which may facilitate identity theft. The stolen data is typically traded or sold on the dark web.

Phishing through social media has also been on the rise. Like with fake websites, it is very easy to create accounts on social media platforms, such as Facebook, Instagram and Twitter, impersonating well-known organisations or individuals.

These phishing accounts are used to trick users into performing a particular action (e.g. providing personal or confidential data or downloading files containing malicious codes, or providing endorsements and likes, thus duping more people).

Given the rising fear over the coronavirus and the way social media posts tend to go viral, social media phishing scams pose a serious threat to the public as they have the potential to reach a large number of individuals within a relatively short period of time.

Potential legal and regulatory issues?

Coronavirus-related phishing scams raise several legal and regulatory issues for businesses in Hong Kong. While Hong Kong currently does not have any overarching cybersecurity legislation, the Personal Data (Privacy) Ordinance (PDPO) and guidelines issued by the Privacy Commissioner for Personal Data (PCPD) will come into play if such scams involve the loss of personal data.

Recommended steps?

When it comes to cybersecurity, prevention is invariably better than cure. Organisations should take preventive measures to stop cybercriminals from infiltrating their systems in the first place. Examples of such preventive measures include providing employees with specific training and guidance on coronavirus-related scams.

These training sessions may provide employees with guidance on identifying potential coronavirus-related phishing websites or emails and educate employees on the risks of opening unidentified links or attachments. Simulations of coronavirus-related phishing attacks may also be conducted to ensure that employees are well-equipped to identify and deal with such cyber incidents.

Employees should also be encouraged to promptly report any suspicious phishing activities in order to allow for the necessary actions to be taken in the first instance.

Individuals should also be alert to phishing scams and take measures to ensure that they do not fall prey to these scams. One of the most important steps is to learn how to identify a phishing website. Examples of ways to do so include:

#1 Checking the URL and looking for any red flags (e.g. ensuring that the spelling of the web address and top level domain name is correct)

#2 Being wary of any URL which redirects users to a different website with a highly similar design (i.e. a phishing website) instead

#3 Reviewing the website content and identifying any irregularities that would not be expected to be found in the website of a well-known organisation (e.g. spelling errors, grammatical errors, low resolution images, etc.)

The full version of this article can be found here.