It's hard to believe, but some cybercriminals are trying to take advantage of the coronavirus crisis. They seek to exploit IT weaknesses and use our fears and insecurities to obtain passwords, infiltrate company networks or launch cyberattacks. We have therefore put together a short overview of measures to decrease cybercrime risks in the current extraordinary situation.
Forms of cybercrime
The following forms of cybercrime are very common right now:
Victims receive requests from a supposedly trustworthy entity to use a link leading to a deceptively real-looking website of this entity and to log-in. In doing so the user unwittingly discloses secret credentials.
Employees receive very professional fake e-mails which appear to be from the CEO or another high-ranking person in the company with the urgent request to make an emergency payment due to the exceptional situation and to temporarily disregard compliance requirements. In some cases, employees are also threatened with dismissal or other measures if they refuse to comply. As a result, large amounts of money are often transferred to accounts abroad that cannot be recovered.
Malware or harmful links
The recipient is asked to open an attachment in an e-mail or to click on a link, which then installs malware on the device. This allows the perpetrator to obtain passwords and confidential data. In light of the COVID-19 pandemic, even the WHO had to warn about cybercriminals masquerading as the WHO to steal money and sensitive information (Link).
The system or data in it will be encrypted and the user threatened with deletion of all data unless they pay a ransom (e.g. in Bitcoins).
Although many companies have switched to home office now, it is doubtful they all have adequate technical and organisational measures in place to protect from cyberattacks. Many employees are not used to this form of work and use private devices, which increases security risks. All companies should therefore develop individual strategies and organisational measures to counter cybercrime risks. But even simple measures may help decrease cybercrime risks. These can include:
Employees should be informed about and sensitised to the forms of cyberattacks. A common approach should be discussed with the IT department. Even simple Do's & Don'ts for employees can help:
- Don't open attachments or links from untrusted sources.
- Don't comply with unusual requests relating to the disclosure of credentials, in particular by following a link. A brief internet search often helps to find out if there are phishing e-mails from the relevant entity currently in circulation.
- Observe compliance instructions and always confirm unusual internal instructions personally, ideally by calling or speaking to the superior personally.
- If your device suddenly slows down or consumes significantly more power, this could indicate malware.
- Report suspected cyberattacks immediately to the management and IT department and follow their instructions. Do not try to combat cyberattacks "on your own" but align your approach with the management and IT (e.g. paying ransom to release a blocked computer).
- Document all unusual activities as thoroughly as possible (screenshots, memory logs).
Check and adapt IT infrastructure
The new security risks resulting from home office work should be discussed with IT and appropriate security measures should be taken.
To take the right steps in an emergency in a coordinated and effective manner, it is advisable to draw up checklists with clear instructions and guidelines, such as what emergency measures are to be taken and in what order and by whom, and who is to be informed by whom (e.g. lawyer, IT, etc.).
Protection under criminal law
The Austrian Criminal Code ("ACC") provides for various provisions against cybercrime, such as:
- Section 118a ACC punishes illegal access to computer systems such as computer hacking and cyberattacks with the intention to use the received data to damage the victim.
- Sections 119 and 119a ACC cover the interception of confidential data or messages by technical means under certain conditions. These provisions are highly relevant when spy-software is used.
- Section 126a ACC punishes data corruption, e.g. by modifying or deleting data. Section 126b ACC punishes the disruption of IT systems, e.g. by Denial-of-Service-attacks or computer viruses.
- Section 126c ACC punishes the abuse of computer programs including the possession or the creation of trojans or malware under certain conditions.
- Section 146 et seq ACC punish fraud, which is highly relevant in the case of CEO fraud.
Affected companies are well-advised to assess possible actions under criminal law, especially as criminal proceedings provide the following advantages:
- Public prosecutors and courts may apply investigative measures which are not available to the company itself, such as requesting IP addresses from communication service providers.
- The public prosecutor is in charge of investigations and must clarify the facts and gather evidence (which can generally also be used for further civil law actions).
- The company can participate in criminal proceedings as a "private party" to request compensation for the damages caused by the perpetrator without any court fees (as would be the case in civil law proceedings).
Criminal proceedings are therefore a good way to limit damages and to clarify the situation.
How to initiate criminal proceedings
To initiate criminal proceedings, victims would in practice file a statement of facts (Sachverhaltsdarstellung) with the public prosecutors' office to encourage it to open an investigation. It is crucial that such a statement includes strong evidence, as the initiation of criminal proceedings requires sufficient initial suspicion (Anfangsverdacht). Therefore, companies affected by cyberattacks should in any case document the attack as well as possible and involve legal and IT experts from the start.
Information duties and others
Cyberattacks may also affect the company's contractual partners or third parties. Therefore, it should be assessed if the relevant contracts provide for specific (information) obligations in such cases. Further, also general civil law provides information and protection obligations in certain cases and a general duty to minimise damages. If private data is affected by the attack, obligations under applicable data protection laws also need to be assessed.
Under cyberattack! What to do?
In case of a cyberattack, the affected company should immediately consider and clarify the following:
- What information is currently available?
- Who is the potential perpetrator?
- What evidence and documentation is available and was it secured? Who are potential witnesses?
- Who needs to be informed? Are external experts needed to clarify the situation?
- Which actions under criminal law are available?
- Do we have further legal obligations, e.g. information duties vis-à-vis contractual partners?
By Michael Lindtner, Attorney at Law, Schoenherr