March 23, 2020
Publication

How To Work Remotely and Securely During the COVID-19 Pandemic

By David H. Hoeppner

The risk of new phishing scams on unsecured home networks

The spread of COVID-19 is impacting all aspects of the economy. Social distancing guidance and stricter regulations have led to large increases in remote work, and hackers have identified this as a vulnerability to be exploited. Email and text message phishing scams related to COVID-19 (i.e. scams typically targeted at gathering your login credentials or other personal information) have already become prevalent, taking advantage of new and untested remote work processes and employees’ desire to stay safe and informed.

While these scams can occur regardless of the network you are on and the device you use, home/personal networks and devices often don’t have the same level of security and encryption that office networks and devices have. In this environment, using devices and applications with business-level security to handle business-related information is key. As millions of people need to work remotely, risks from unauthorized data access and malicious software increase dramatically.

Examples of COVID-19 phishing scams can include:

  • Emails purporting to be from a health-related institution such as the Centers for Disease Control and Prevention (CDC), asking you to click on a link or download an attachment (example below)


  • Emails claiming to be from an employer’s IT department or human resources department requesting urgent security measures (example below)

Ways to reduce your risk

Verify the sender’s email address: Beware of messages sent from strange or unknown email addresses or phone numbers. While it is possible to falsely duplicate the name and origin of a message, phishing scams will often come from strange or unknown email addresses that can be identified by hovering your mouse over the sender’s name in the email.  

Don’t click on unknown links or attachments: Clicking on a link or attachment in an email or text message can download malicious software onto your device. Take special care to verify the authenticity of messages that have any of the following red flags: 

  • A generic greeting (i.e. “To Whom it May Concern,” “Dear Sir,” “Hi there,” etc.) 
  • Errors in spelling or grammar 
  • Request personal information 
  • Create a sense of urgency or requirement to “act now”

Call to confirm: Unlike with messages from senders with whom an employee may have little connection, messages from an employer or colleague can often be verified with a phone call. When verifying with a call, always use a separate number that you know. Do not click on a link or number in an email or text message. Not only is calling to confirm an easy way to spot a fake, it’s also a good way to maintain a baseline of communication with employers and colleagues during a time when health guidance cautions against or prohibits face-to-face interaction.  

Avoid mixing business and personal hardware and software: The line between business and personal life gets easily blurred in remote work situations, and the blurred line creates more opportunities for personal activities to have business-related consequences. Business hardware and software often has more stringent security features, encryption and backup protection in place, which may not be present on personal devices, making business hardware and software preferable for business use. Personal hardware and software not only may lack some or all of these security features, but their use could allow, for example, a phishing email sent to a personal email account to infect a business computer that has confidential business information. Acknowledging there is often some overlap, limiting personal use of business hardware and software (personal social media accounts, apps, games, websites and emails) helps reduce the compound effect of business risk created by personal use.  

Create strong passwords and use a password manager: A strong password is a long password, at least 12 characters, with a mix of upper- and lowercase letters, numbers and symbols, and isn’t just a word found in the dictionary or a keyboard pattern (i.e. “QWERTY”). Since it’s hard to create, remember and regularly update strong passwords for all of your logins, consider using a password manager. A password manager allows you to choose strong passwords that might otherwise be hard to remember, and save them in one place, accessible by single master password (the only one you have to remember). Some password managers will even generate strong passwords for you. Either way, they make it easier to maintain stronger passwords to protect your various online accounts. Examples of password managers include 1Password, LastPass, Keeper and Bitwarden.(Gould & Ratner LLP does not promote, recommend or endorse any particular password manager.) 

Your home router should use WPA2 or WPA 3 security: Wifi Protected Access 2 (WPA2) and Wifi Protected Access 3 (WPA3) are the more secure protocols for home security. They use the strongest encryption to protect information sent from your computer to its destination. Since 2006, WPA2 certification is mandatory for any device to bear the “Wi-Fi” trademark. WPA2 or WPA3 is typically one of several options that you can select when setting up your wireless network at home, but it might not be the default setting. If you use a wireless router received from your internet service provider (ISP), the option to select WPA2 or WPA3 security is likely accessible through your ISP’s web-interface. The dropdown menu for selection may look something like this:

Use a Virtual Private Network (VPN): A VPN is a connection method used to add security and privacy to private and public networks such as your home network or when using a public wifi hotspot. It has two main benefits:

  • It allows your identity to be kept anonymous and your data and actions to be encrypted before moving through the internet. If a VPN is not offered by your employer, companies like Norton SecureVPN offer VPN services to individuals.(Gould & Ratner LLP does not promote, recommend or endorse any particular VPN service.)
  • If offered by your employer, a VPN can offer a secure connection into your employer’s internal network from a remote location, providing access to services that are typically only available when the employee is in the employer’s office and on the employer’s internal network. This may make remote work more effective and efficient.

Below is a diagram of how a VPN service works:

*cactusvpn.com 

Employers can promote security and efficiency by offering enterprise-level VPN service to remote employees. Examples of enterprise level VPN services include CISCO AnyConnect, CITRIX and Cloud VPN by Google. (Gould & Ratner LLP does not promote, recommend or endorse any particular enterprise-level VPN service.)

  • Note: A VPN is only as secure as its endpoints (i.e. your personal computer and network from which you are sending information, and the server and network which will be receiving information). Consequently, it is important to use the VPN in connection with the other measures mentioned in this article, and it is important to use a VPN from a reputable company.

Use anti-virus software and make sure it is updated: As mentioned above, the security of your data and its transmission is only as secure as the device you are sending it from. For this reason, consistent use and updating of antivirus protection is important for all devices that will handle business-related information. Employers can assist by offering enterprise-level antivirus on devices issued to employees, but in cases where that is not possible, there are several low-cost personal antivirus applications that are useful. These include: AVG, Avast and Kaspersky. (Gould & Ratner LLP does not promote, recommend or endorse any particular antivirus program or service.)

Additional resources

U.S. National Security Agency Best Practices for Keeping your Home Network Secure
U.S. Cyber Infrastructure Security Agency Tips for Caution with Email Attachments  

For more information or questions about cybersecurity precautions while working remotely and COVID-19, contact a member of Gould & Ratner’s Corporate Practice or visit our COVID-19/Coronavirus Resources Page.