Coronavirus and cyber risk

How Cyber Criminals Are Taking Advantage Of COVID-19

Jump to Section:

April 22, 2020


Closing schools and offices to enforce social distancing during the novel coronavirus (COVID-19) pandemic is an important step to addressing the public health risk. But, as students and workers move online – about half the workforce so far – the move has increased another risk: cyber security.

Cyber criminals quickly recognized the opportunities the pandemic (and the response to it) provided them. As the volume of emails from employers, governments and health agencies related to the outbreak increased, so did the number of phishing emails concerning COVID-19.

Google recently reported more than 18 million predatory emails related to COVID-19, as well as 240 million daily spam messages. And more than one-third of executives responding to a recent flash survey said they felt their cyber risk exposure has increased as more employees work from home.

Addressing the cyber risks brought on by the new boom in remote work means sticking closely to cyber security fundamentals: identifying, assessing and addressing exposures – for example, through regular cyber security training for the remote workforce.

“The current shift to remote working is a game changer,” notes John Ansbach, vice president for engagement management, Aon Cyber Solutions. “Employees across all functions must be vigilant. And IT teams have to be extraordinarily focused on supporting their newly remote workforce in a way that securely drives the business forward.”


In early March 2020, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of cyber scams related to COVID-19 and urged people to be vigilant. Later in the month, as more workers began working remotely, CISA issued another alert calling on organizations to adopt a heightened state of cyber security.

The risks may well increase over time. Some sophisticated cyber criminals might wait to assess the environment and plan attacks before striking. Meanwhile, overtaxed or depleted IT teams dealing with a newly remote workforce can also increase organizations’ vulnerability.

Although virtual private networks (VPNs) are longstanding best practice for cyber security, many organizations’ VPNs may lack the capacity for a spike in the numbers of remote workers – compounding the overall risk.

Cyber Criminals Capitalize On Fear And Confusion

The current period of complexity and volatility provides a perfect opportunity for cyber criminals. “Catastrophic events act as beacons to fraudsters and threat actors,” says Samuel Willoughby, managing director and practice leader of investigations, Aon Cyber Solutions.

Cyber criminals seize on current events for three reasons, according to Daniel Spicer, director of digital forensics and incident response, Aon Cyber Solutions. “There’s a built-in sense of urgency that helps generate a reaction someone might not otherwise have. And people are already expecting to receive emails about the topic. Finally, there are legitimate materials out there that cyber criminals can modify and use for attacks, with less risk of grammatical and spelling errors that might otherwise tip off recipients.”

The increasing number of cyber attacks are taking various forms:


Cyber criminals are sending emails that resemble legitimate coronavirus-related notices in phishing attacks targeting anxious individuals expecting such communications. The attacks aim to get readers to click through on false links that promise coronavirus guidance.

Watering hole attacks

Criminals attempt to lure individuals to infected websites that appear to be legitimate sources of information on COVID-19. Some infected sites were actually hastily built but legitimate sites that have since been hacked by cyber criminals to deploy malware.

“We’re seeing a huge uptick in the number of domains being registered with ‘COVID-19’ or ‘coronavirus’ in them, though some are legitimate,” observes Spicer. “The rest are being used for phishing, or to stand up quick update sites or tracking maps that may deploy malware.”

Ramping Up Cyber Security As Part Of The Crisis Response

Cyber security experts say that organizations should take a series of steps to tighten their online defenses in the current environment:

  • Highlight trusted information sources. Guide employees to legitimate internal and external sources of COVID-19 information.
  • Warn about the latest phishing campaigns. Issue warnings to employees about the threat of COVID-19 phishing emails and cyber criminals’ latest strategies.
Individuals are a critical first line of defense against attacks. Once phishing happens and there’s been a compromise to systems, it becomes an enterprise-wide issue. We can’t be too careful here – encourage employees to take a screenshot of any suspicious emails and provide it to IT.”
– Andrew Mahony, head of Aon Cyber Solutions in Asia
Tweet This
  • Tighten controls. Ensure that the organization has proper security controls in place and that employees are not going off book and using unauthorized remote-access tools. Validate and test in-place technical controls. Review and revise existing disaster recovery plans to account for the new remote workforce. Check the capacity of remote access tools that have been provisioned.
Shadow IT develops not because employees want to avoid company issued tools but because they feel compelled to in order to do their jobs.”
– John Ansbach, vice president for engagement management, Aon Cyber Solutions
Tweet This
  • Implement temporary wire transfer protocols. The controls designed to protect an organization from a financial loss, while likely robust and well tested, were almost certainly put in place during more stable times and contemplated a different operating model. These controls might not be as effective in the current climate. Organizations should revisit these controls to help ensure they are not only designed appropriately but are also operating effectively in this new era of COVID-19.
  • Treat your VPN like a VIP. Ensure that employees are using only company-authorized and issued VPN solutions, that are regularly updated and further secured with multifactor authentication. Penetration testing your VPN solution following mass deployment is also a best practice.
  • Prepare for password problems. Ensure IT support staff are ready to handle and properly vet password inquiries. Help-desk call volumes will likely increase – from both employees and scammers.
  • Define good BYOD. Organizations using a bring-your-own-device (BYOD) model should make sure BYOD standards are in place and communicate those standards to the workforce.
    Organizations should be setting expectations that BYOD employees follow the same sort of patching protocols and regular updates mandated for company-controlled devices and systems. And whether they’re using their own or company-owned devices, employees should be working from secure private networks – not public networks.”
    – Andrew Mahony, head of Aon Cyber Solutions in Asia
    Tweet This
    • Practice responses. Run tabletop cyber threat simulations during this time of shelter in place to prepare to address any attacks or disruptions.
    • Secure key executives. Publicly available data about your leadership team increases the possibility of targeted attacks. Put additional controls in place and actively scan for threats across both company and home networks.
    • Patrol your systems. Hunt down cyber threats and test network penetration to identify indications of compromise following the deployment of a remote workforce, especially one that relies heavily on personal endpoint devices.
    • Revisit your mitigation portfolio. Consider how third-party advisers and cyber risk transfer can help address the increased cyber security exposure.

    Cyber Security: A Vital Part Of Organizations’ Pandemic Response

    Even as organizations grapple with the other aspects of COVID-19, attending to cyber risk is essential. Organizations that seek to understand the heightened risk and take steps to address it will improve their chances to navigate the challenging environment successfully.

    “What we’re seeing at the moment is unprecedented,” says Mahony. “It’s a mostly positive development, to see that business as usual – or close to usual – can keep going in times of crisis. But it means that now more than ever, we’ve got to stay agile to new cyber security risks, set clear expectations for mitigation and communicate with and educate employees at all levels.”

    This document has been provided as an informational resource for Aon clients and business partners. It is intended to provide general guidance on potential exposures and is not intended to provide medical advice or address medical concerns or specific risk circumstances. Information given in this document is of a general nature, and Aon cannot be held liable for the guidance provided. We strongly encourage readers to seek additional safety, medical and epidemiological information from credible sources such as the World Health Organization. As regards insurance coverage questions, whether coverage applies or a policy will respond to any risk or circumstance is subject to the specific terms and conditions of the insurance policies and contracts at issue and the relevant underwriter determinations.

    While care has been taken in the production of this document, and the information contained within it has been obtained from sources that Aon believes to be reliable, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the report or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication.