The prevalence of fraudulent activity has increased during the COVID-19 pandemic. In 2020 alone, the Canadian Anti-Fraud Centre reported 70,948 cases of fraud, with $108.8M lost to fraud. Between March 6, 2020, and March 31, 2021 alone, $7.25M was lost to COVID-19 fraud specifically. Malicious actors have exploited the increased reliance on technology during the pandemic, as well as people's heightened anxiety and vulnerabilities to launch their attacks, costing individuals and companies both financial and psychological distress.
In a survey conducted by the Conference Board of Canada about cyber-threat awareness at the workplace, while most respondents seemed confident in their employee's ability to recognize risks, 15% of respondents still said that their workforce does not know enough about cyber threats. Because of the pandemic, many organizations have adopted new technology at an increased rate (remote collaboration software, cloud technologies, etc.), and the survey showed that respondents from organizations that have accelerated their technology adoption were more likely to notice an increase in reported cyber-attacks. This is not surprising. As people are increasingly relying on videoconferencing services, cybercriminals have leveraged that increase to steal personal information. They have baited users by registering domains posing as Zoom, Microsoft Teams, and Google Meet-related URLs. Due to the nature of remote work, many people are also finding themselves isolated from their coworkers and IT departments, who would have usually helped identify threats. Additionally, many attacks were also carried out by impersonating health organizations disseminating health information related to the pandemic.
Protection from Phishing Attacks: Privacy Considerations
Phishing attacks use a combination of technological and psychological tactics - such as exploiting the recipient's curiosity or trust- to trick them into disclosing sensitive information or downloading malware. Attackers will target employees of an organization by sending them emails with attachments that contain malware or by getting them to enter sensitive information on a fake website. While these emails will often look like official, work-related communications, phishing indicators include suspicious senders or addresses, unexpected messages and attachments, poor spelling and suspicious links.
Several government agencies and regulatory authorities have created resources to help protect individuals and organizations from phishing attacks. The Office of the Ontario Information and Privacy Commissioner recommends proactive measures including:
- Screening and filtering incoming messages;
- Installing malware detection and filters;
- Eliminating security vulnerabilities caused by updating outdated browsers and other software; and
- Restricting computer access rights on a need-to-know basis.
As part of a privacy breach response plan, organizations should also consider whether mandatory notification of a breach to a regulatory authority or individuals affected by the breach is required. In Alberta, the Personal Information Protection Act requires organizations to provide notice of a privacy breach incident to the Office of the Information and Privacy Commissioner of Alberta (OIPC) if the privacy breach represents a "real risk of significant harm" to an individual. The amount of time an organization has to provide notification is dependent on the legislation that applies. These issues should be addressed during the development of a breach response plan and not after a breach occurs.
To learn more on how to protect your organization against phishing attacks, join us on Thursday, May 13, for our next edition of Coffee + Counsel. This complimentary series brings you together with a few of our lawyers for an unscripted chat about legal issues pertinent to organizations in Alberta. Grab your coffee or tea and discuss your concerns in a dynamic and open Q+ A session with Field Law lawyers Katrina Haymond, Erika Carrasco, and Richard Stobbe, who will also be joined by Kyle Myck, Field Law's IT Director.
Coffee + Counsel: How to Protect Your Business Against Phishing Attacks
Cybersecurity issues are becoming a day-to-day struggle for businesses, and COVID-19 has increased the number of employees working remotely, making it harder for IT teams to secure networks. Cybercrimes have increased by 600% since the start of the pandemic, and 95% of all cybersecurity breaches are a result of human error. Many organizations believe it's inevitable that they'll fall victim to an email-based attack over the next year, whether through an employee being tricked into clicking a bad link, or a specific attack where individuals impersonate leadership and request fraudulent financial transfers.
As phishing attacks continue to evolve, it is crucial for organizations to take additional steps to protect themselves and train personnel to be on the alert for abnormal activity. From prevention measures to mandatory reporting and everything in between, organizations have many legal issues to consider:
- What are the best practices to prevent and defend against phishing?
- What should be in an anti-phishing policy, and how can it be enforced?
- What immediate steps should you take once you discover a phishing attack?
- When do you need to report a phishing attack or breach to the Privacy Commissioner?
Grab your coffee or tea and discuss your concerns in a dynamic and open Q+ A session with Field Law lawyers Katrina Haymond, Erika Carrasco, and Richard Stobbe, who will also be joined by Kyle Myck, Field Law's IT Director.
Date: Thursday, May 13
Time: 10:00 AM - 11:00 AM MT
If you are unavailable to attend the session during the scheduled time please register and a recording will be sent out to you.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.