Spring is traditionally a time when people do a deep cleaning of their homes. Have you thought about taking this one step further and doing a digital security deep clean? We recommend reviewing at least every quarter to minimize the risk of identity theft. Here are four steps to get you started to protect your personal data. 

  • Change your passwords. Your company probably automatically asks you to switch passwords every 4-6 weeks. But when is the last time you changed your passwords on your personal social media accounts, subscriptions, or places you shop? You should consider updating these passwords, too. In fact, old passwords can be easy ways for hackers to steal your identity. Delete old accounts you no longer use. You might be surprised to find that some of those are decades old with easily guessed passwords. When you choose your new passwords, do not repeat them across various accounts. You’re just making it easier to get hacked.
  • Review your social media accounts. Have you been cloned on Facebook, Instagram, or other social media platforms? Take a moment and search for yourself on these sites and see if you appear more than once. Don’t wait for your friends to send you a text saying, “I just got a friend request from you, but we’re already friends.” If you’ve been cloned, report it and change your passwords.
  • Avoid oversharing. Think twice before you overshare information or play a social media game that asks you to list personal information about yourself. These simple activities are ways that hackers gather your data. The latest high-risk trend is sharing a picture of your COVID vaccination record with your full name and date of birth clearly visible. Instead, consider sharing a photo of an “I got vaccinated” sticker. 
  • Have you been hacked? A cybersecurity FBI agent once told me, “It used to be a case of not if, but when you’ve been hacked. Now it’s a case of you’ve been hacked, and you either know it or don’t know it yet.” HaveIBeenPwned is one of several free sites where you can check if you’ve been caught up in a security breach.

These four steps will help you do a simple yet effective spring cleaning of your digital presence and protect your online identity. 

Now is the perfect time to protect yourself and your organization by changing your passwords. Every day hackers steal confidential information because of weak passwords, but not all hackers take what they need and leave—some may continue accessing your account, either to monitor your data or continue stealing information over time. Strong and regularly changed passwords are your first line of defense against these criminals.  As a reminder, for each account, use a unique password that has a minimum of eight characters and contains at least three characters from the four categories below, or use a password generator or manager.  

  • Upper case letters (A-Z)
  • Lower case letters (a-z)
  • Numbers (0-9)
  • Special characters (!@#$%^&)

 If you want to check whether your data has been breached, there are free websites that provide this information, such as   https://haveibeenpwned.com/.

An important and unexpected ruling was handed down by the Court of Justice of the European Union (CJEU) on July 16, 2020, in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”) that invalidates the EU-U.S. Privacy Shield (“Privacy Shield”) arrangement. Since 2016, the Privacy Shield provided U.S. companies with a mechanism to comply with the General Data Protection Regulation (GDPR) requirements when transferring personal data from the European Union to the U.S.

What this means

Now companies that subscribed to the Privacy Shield must find another GDPR-compliant solution for the transfer of data. The European Data Protection Board indicated in its July 23, 2020 FAQs that it will not be providing a grace period as the authorities had done for the EU-U.S. Safe Harbor (“Safe Harbor”) framework following the “Schrems I” decision.

Notably, the CJEU’s decision expressly stated that the standard contractual clauses (SCCs) previously promulgated by the European Commission (EC) are still a valid tool for data transfers from the EU. The SCCs are sets of contractual terms and conditions that the controller and the processor of personal data both execute to comply with GDPR’s requirements.  However, the CJEU’s decision does not give blanket approval to the SCCs–the decision acknowledged that future challenges to SCCs are permissible by the local data enforcement agency for any EU-member state. For example, an EU-member state might prohibit or suspend exports of personal data from its country under SCCs, if the member state concludes that the SCCs are not or cannot be complied with in the recipient third country (such as the U.S.) because of the member state’s local legal requirements.

For some situations, including online companies dealing directly with EU consumers, another alternative is to look to specific derogations under Article 49 of the GDPR, such as to perform a contract.

What happens next

When the adequacy of the Safe Harbor was invalidated by the CJEU in 2015, the U.S. Department of Commerce (DOC) and the EC had already been negotiating for an updated trans-Atlantic program for many months. With Schrems II, and although the DOC and EC have indicated that lines of communication are open, the discussions are not nearly as advanced. And the issues cited by the CJEU in Schrems II may require some form of legislative and not merely an administrative action to address. As such, the process to update the Privacy Shield is unlikely to be concluded any time soon.  

The DOC, in a press release in response to the CJEU’s decision, stated that it will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification and maintaining the participants’ list. The statement emphasized that the CJEU’s decision “does not relieve participating organizations of their Privacy Shield obligations.”

The UK’s Data Enforcement Agency also issued a statement advising companies to continue using the Privacy Shield until new guidance becomes available but added that companies “do not start using the Privacy Shield during this period.”

Stay tuned for more regulatory guidance and other developments in the next few weeks.


Disclaimer: This is not legal advice. The resources and information provided here are for educational purposes only. Consult your own counsel if you have legal questions related to your specific practices and compliance with applicable laws.

Take a second to imagine what would happen if the internet went down in your office for a day. It would likely be a disaster, right? 

Although it wasn’t the case just a decade ago, today, almost every individual is dependent on technology for their productivity. As our work habits are continuously disrupted by constant innovations, our reliance on gadgets and applications will only increase.

This shift is affecting every institution around the world, including public sector, not-for-profit, and for-profit organizations. As it does, every business leader needs to become savvier when incorporating technology into their teams and workflow. Because of this, it’s only a matter of time before each member of the C-suite takes on an entirely new set of responsibilities. 

In fact, many C-level executives are already tackling many tasks that are far from traditional.

Here are five of the main ways that we’re seeing technology disrupt the C-suite:

1) Expanding The Role of the CIO or CTO

In the past, CIOs and CTOs were the key drivers of technology in their organizations, leading IT and engineering departments. However, now that technology touches every aspect of a business, all executives must be aware of its effects.

With that in mind, CIOs and CTOs are playing a bigger role in company meetings, as well as meeting individually with other executives more frequently to improve each department. In fact, more than half of CIOs already meet with their CEO at least once per week to discuss digital transformation and business goals. In these meetings, CIOs help the entire company implement advanced tools for automation, compliance, security, communications,  digital marketing, and customer analytics.

2) CEOs Focusing More on the Customer

Although CEOs have historically been responsible for their company’s customers, it’s now necessary for every employee to keep the customer in mind. Value to the consumer must be delivered at all levels of business through avenues such as ethical manufacturing, intelligent branding and top-tier customer service.

This is due to the fact that technology not only transforms how our institutions create goods and services, but it also shapes how we make purchases as well. Today, customers are more informed and connected than ever before. In fact, 81% of people read customer reviews before making a purchase, and 60% of people consider those reviews to be their most trusted source of information on a product.

As such, the CEO must increasingly take on the responsibility of creating a customer-centered organizational culture. This can be done by leveraging data and consumer analytics to better assess what the market desires. After understanding this, the CEO must ensure that every department of their organization keeps the customer in mind as well.

3) CHROs Understanding Automation

As more tasks are outsourced to algorithms and AI, soon, organizations may be employing more robots than people. As such, CHROs need a deep understanding of how to integrate employees seamlessly alongside automated processes. This can require considering alternative employment models or hiring individuals with non-traditional skill sets.

Overall, the entire HR department must imbibe a culture of continuous learning in order to keep up with how technological advancements impact their staff. 

4) CFOs Investing in Technology

Traditionally, CFOs were more geared towards the past, focusing on accounting and reporting. Now, CFOs have shifted their attention to the future, forecasting the financial viability of long-term investments in technology. They support the CEO’s corporate vision and implement the tools necessary to drive and respond to change.

As such, CFOs are no longer the traditional accountant, but rather possess strategic critical thinking skills. They are on the front line of their organization, working with all departments to assess how new systems can generate a return on investment. Simultaneously, CFOs must deeply understand the security and compliance risks that can come with technological advancements.

5) Creating New Roles in the C-Suite

With technology expanding faster than ever, organizations are creating new positions to deal with the many new opportunities that these innovations create.

For example, now that newly-trackable data is driving corporate decisions and strategies, Chief Data and Analytics Officers (CDAOs) are recruited to help their organization’s members interpret complex datasets. Furthermore, Chief Artificial Intelligence Officers (CAIOs) are necessary as AI continues to become an integral part of society.

Other new titles that organizations are incorporating include Chief Data Officer, Chief Digital Officer, Chief Learning Officer,  and Data Privacy Officer.

The people in these positions will be responsible for incorporating innovations such as automation, virtual and augmented reality and cloud computing. They’ll also pay attention to cyber-security, user experience and technology deployment. 

The C-Suite of the Future

Overall, no one knows what the C-suite of tomorrow will look like. Rather than getting overwhelmed by all the different variables that technology presents, it’s best to simply assess the needs of your organization and find a C-suite structure that fits your long-term goals. As innovations continue to accelerate, organizations will be forced to adapt to remain relevant and competitive.

Follow Executives Unlimited on LinkedIn for updates & news in the recruiting world, career tips for Executives and more.

By Malcolm S. McNeil

We have already heard about the recent twitter attack on high profile individuals. However, they are not the only targets of the hackers.

Right now we see that medical practices are a target of cybercriminals. The common activity is to forward emails to unsuspecting employees who will click on a link. That link installs malware, ransomware, or other insidious viruses. The hackers know that there are general security flaws that exist within a medical practice and further flaws where the medical facility is linked with Internet connections. Information is gathered from social media which is used to trick staffers into revealing patient information, practice information, financial records, and other confidential and protected information.

Cyber security experts agree that the sophistication and volume of attacks are increasing. Unfortunately, part of this increase comes from lax security standards established in medical offices. Some doctors say that they rely on the health insurers and providers and either think that they are covered, or that their efforts to protect themselves would be futile.

However, there is nothing diligent about simply giving up on security steps and it can be malpractice. Moreover, a large number of practices do not have cyber security backup plans in place in case of a cyberattack or any other type of natural disaster which may befall the record keeping.

The present-day cybercriminal is sophisticated. They know where to find vulnerabilities and how to exploit them. They know how technology works and they typically take the path of least resistance.

Malware is the biggest threat and messaging becomes more sophisticated in order to fool the unsuspecting victim.

One of the biggest mistakes that is made is some doctors, in small practices, think that they are too small or have nothing of value for a hacker. These medical providers are fooling themselves. The hackers are looking for a broad range of information and they exploit the least protected.

The market for stolen information is quite vibrant. Hackers will continue to pursue the most vulnerable. There are established prices for various types of health care and financial records. The hackers know that this is valuable and they know how to monetize the stolen information. Smaller organizations are sometimes more lucrative simply because of the lack of effective security protocols.

Medical practices need to have appropriate protocols in place. First, employees must be effectively trained and put on alert that these types of hacks can occur on a daily basis. Additionally, the doctor’s security protocol should be in place, they should be flexible, and constantly monitored for efficiency. There are outside organizations who will test the system to determine how effective the internal systems keep out the malware. These same organizations can arrange a phishing attack and again test the effectiveness of the security systems.

Today’s cybercriminal is not simply a teenager tampering with systems. Instead, these cybercriminals know where to get information about the doctors in the practice, the nature of the practice, and a variety of other records because physicians and their staff are typically on LinkedIn or Facebook or have other websites which provide important information to the public. At the same time, they provide leads for cyber hackers to exploit, and they know how to monetize the information.

Medical practitioners must have a cyber-plan in place in case of a hack. Today’s penalties for privacy breaches are severe and punishing. In California we have the new CCPA, along with the normal HIPPA requirements. There may be other applicable privacy protections that require diligent security protocols in place and constant monitoring.

The basics are obvious. The medical practitioner can ask “what would I say if I were examined regarding the security procedures that I have put in place to promote, promulgate and protect personal information?” The answer will provide the appropriate guidance for the next steps to take.


Malcolm S. McNeil is a Partner with the law firm Arent Fox LLP.
Other WorkAnswers posts related to Security and Technology

How should small business leaders think about mitigating information security risk—and with all that’s going on in our pandemic world, why now?

It’s a tough problem. Between reports of hackers breaching the networks of even large multinational corporations with staggering resources, the technical complexity of shoring up your defenses, and the high cost of tools that facilitate the process, it can be tempting to conclude that all you can reasonably do is ask IT to keep the virus protection up-to-date and cross your fingers.

However, I want to make a case here for devoting more executive attention and more organizational resources—both people hours and funding—to information security, even in a small business. Here’s why:

  1. The financial and reputational cost of even one security incident—particularly a data breach—can be devastating.

When most small business owners think of the consequences of a hack, they may envision a ransomware incident, which are lamentably common, particularly in the small-to-medium sized business space. Those are damaging enough in their own right: a February article in the NYT reported that in the last quarter of 2019, average ransomware payouts spiked to $84,116. This does not include the cost of lost operational capacity, legal or forensic investigation expenses to resolve the incident, or beefing up security after the fact.

However, an even more damaging type of attack involves hackers not encrypting your data for ransom, but rather stealing it and selling it on the dark web. When this exposes the personal information of your customers and others, you then bear the costs of notifying them and, as required by law in many states, paying for credit monitoring services of the affected parties. The average cost of this process is $150 per record, meaning that the immediate financial toll could be in the millions. And that is before accounting for the lost business resulting from the loss of public trust. This is a major hit for even the biggest organizations to absorb. For a small business, it would likely be unrecoverable.

  1. Your attractiveness as a target might be higher than you think.

You might assume that as a small business, you’re a “little fish in the big pond,” swimming below the notice of the poachers. But in fact, in recent years small to medium businesses are prime targets for hackers, precisely because they are less well protected. According to Nationwide Insurance, 55% of all small businesses experienced data breaches, and 53% having multiple breaches. In 2018, 71% of the victims of ransomware attacks were SMBs, a dramatic increase from 31% in 2012 and 18% in 2011.*

Your risk is even greater if you are in the supply chain of much larger companies, particularly if you have access to their customer and/or employee data. In this circumstance, hackers may perceive your network as a potential weak link in the armor of the deeper-pocketed client. If you are in this situation or likely would be, I encourage you in the strongest terms to pursue an enterprise-level security infrastructure. Not only is it almost certainly the right call for your degree of risk, such clients will increasingly expect and require this of you.

  1. Information security isn’t just technical, it’s behavioral—and people make mistakes.

Let’s say your IT department and/or the managed service provider (MSP) who remotely manage your IT infrastructure are top-notch, and you have the most airtight network known to man. You are still not safe from a data breach. This is because most methods of gaining access to a network involve luring employees or contractors with legitimate access to your system into providing credentials, running malware, or otherwise compromising the controls your team has put into place. Technical tools can help to identify such attacks, but they will never be enough on their own. Employees must be trained to identify suspicious emails and requests, and a culture of information security must permeate throughout the organization, specifically valuing security over speed and convenience. This takes leadership, and it has to be a priority for every executive.

  1. Compared to the potential loss, cyber insurance protection is relatively low-cost. With a greater than 50% likelihood that your small business will be hit by cybercrime costing you upwards of $100,000 per incident and an average policy cost of just $1500 per year, cyber insurance may be the single most inexpensive investment you can make to protect your business against this risk.

However, shop carefully: Many companies learn to their dismay after an incident that their policy didn’t cover what they thought it did. For instance, a policy may, by default, require your business to follow certain protocols or system configurations that might not work for your business. Or, if a breach is determined to be caused by employee error resulting from malware or phishing schemes, claims are often denied—which gets back to the vital importance of employee training. And, it’s important to note that insurance policies may or may not cover the costs of the technical help you may need to fix the vulnerability, ending the hackers’ immediate access to your network and to prevent future breaches. Despite that, you still need coverage to limit your exposure. Be sure to talk with your insurance representative about what is and is not covered and how you can best protect your business, and involve your head of IT and ideally your legal team in the policy selection process. Be sure to review your coverage for gaps on a regular basis as well—cybersecurity insurance is a young industry, and new types of risk are continually emerging.

I hope this inspires you to give additional thought to your company’s information security approach. If you already have a plan, it’s worth taking a fresh, critical review to ensure you’ve rated your risk appropriately and are taking advantage of the newer tools on the market today to mitigate it. If you need to get a program started, I recommend taking a look at the FCC’s Cybersecurity for Small Business page, as well as the Security and Technology section here on WorkAnswers for some great resources in designing one.

*As reported by Beazley Breach Response Services and Symantec.


Additional recommended reading: Designing a Remote Worker Policy.

There are a number of issues to consider when creating a remote work policy. Here are some of the bigger questions:

  • Can remote workers fit into your organization’s culture?
  • What positions can be performed remotely? (e.g. a sales position might be a logical “yes,” while a receptionist is obviously a “no”)
  • How will you deal with employees who want to work remotely, but aren’t able to?
  • What expenses will the organization cover? (e.g Internet, desk, etc.)
  • Will you have a policy that would require employees to regularly meet up with their colleagues?
  • What other criteria will you use to decide if an employee is eligible?  Seniority? Distance from the office? Personal situations, such as those who have mobility challenges or are caretakers of family members?

Other Elements of Your Remote Access Plan

  • Set a standard for equipment: Be sure to establish what equipment can be used remotely and what software must be installed.
  • Here’s just one example:
    • 13″ screen, with an i5 processor, 8GB RAM/256 GB SSB
    • Standard Software
    • Windows 10 Pro/MacOS
    • Microsoft 365
    • Adobe Acrobat
    • Non-standard software examples:
      • Accounting Software
      • Adobe Creative Cloud (for Creatives)
  • Non-tech equipment:
    • Furniture
    • Shredder
    • External Monitor(s)
    • Office desk and chair
    • Printer
    • Laptop Bag
    • Fax machine
    • VOIP/mobile phone

Have employees sign a release (and track inventory) to cover the loss of the device and how they can use it.

  • How does your organization want to address BYOD (Bring Your Own Device)?
    • There is software (often referred to as Mobile Device Management or MDM) that has the ability to remotely “kill” a device that has been lost or stolen
    • Have policies in place to restrict what software can be installed on devices that have company data
  • How will the person access the network?
    • Remote Desktop
    • VPN (hardware or software)
    • Hosted solution (Zoho, Office 365, Google Docs) SaaS/ SaaP (Salesforce, LinkedIn)
    • Private cloud or ERP
    • Be sure to provide both training and support
  • Usage policy
    • You may permit employees to do a reasonable amount of non-work-related stuff on the machine (checking news or sports scores), but you might not want them to let their friends/family members install software or use the device.
  • How will the IT department update the software and firmware?
    • We recommend hardware replacements every 3-4 years and mobile device replacements every 2-3 years. There are solutions to update software beyond giving Admin Access to the user(s).
  • Remotely kill software.
    • Absolute Software/Lo-Jack  
  • Reimbursement policy for Internet ( e.g., $50/month reimbursement for home Internet for employees approved for working remotely).
  • Workers comp covers remote workers.
  • Remind remote employees that sexual harassment cases might be relevant even within the home, especially if during working hours.
  • Remote working hours: Will you establish working hours, factoring in time zone differences? Recognize that remote employees are often open to working at odd times because of the need to tend to children or elderly relatives. This can turn into a win-win for everyone.
  • Insurance Policies: Make sure that there aren’t any issues with both the company insurance policies (e.g. asset, workers’ comp, health insurance) and the employees’ homeowner’s policy.
  • In-home meetings: Consider whether you will allow the employee to have work-related meetings in the home, or whether that could leave the company at risk of civil and criminal liability if something goes wrong. You may opt to require employees to meet others in public places or at the main office.

Planning to allow your staff to continue to WFH (work from home) for the next few months and perhaps beyond? Here’s a few basics you’ll want to be sure to have in place for your remote staff:

  • Establish your organization’s Remote User Policy — This policy will help ensure that both your and your clients’ information remains safe and protected and that your employees are enacting best practices when it comes to security. Set and communicate specific rules about how and where your staff can access your networks. Even though right now, your staff is less likely to be hanging out in coffee shops, do you want to allow them to access your networks in public places such as hotels, airports, and coffee shops? Likewise, what about from unmanaged home networks? Which brings us to the next must-have—a VPN.
  • Invest in VPN software — a VPN (virtual private network) is one of the best ways to ensure the security of your organization’s data when employees are logging on. Check out VPN recommendations at That One Privacy Site and PC Magazine’s picks.
  • Set up File Sharing — Your organization may already have this practice in place, but secure access to your files is important. Microsoft OneDrive (part of Office 365), Google DriveDropbox, and Box are some platforms worth looking at. All are cross-platforms providing compatibility with Macs, PCs, and mobile devices.
  • Enhance your communication tools — Don’t rely on email for everything. Video is THE way to inject the personal touch that we all need to make WFH workable for the long haul. Try Microsoft Teams, Google’s Hangouts, or Slack. If you are focused on video and want to look your best, there’s Zoom and Join.Me. NOTE: Skype for Business will only be around until August 2021. If Skype is your go-to platform of choice for video meetings, it’s time to test out some others.
  • Note taking on the run — Worried about your employee’s dog eating his home work? Or that they might lose your all-important project directions when they scribbled notes on a napkin while picking up take-out? For simple note-taking that plays well with others, encourage your staff to give Microsoft One Note or Evernote a try.


Stay tuned to WorkAnswers for more helpful tips for your business as we adjust to these changing times.



In a press release issued April 22, 2020, federal authorities announced that an ongoing cooperative effort between law enforcement and a number of private-sector companies, including multiple internet domain providers and registrars, disrupted hundreds of internet domains used to exploit the COVID-19 pandemic to commit fraud and other crimes.

As of April 21, 2020, the FBI’s Internet Crime Complaint Center (IC3) received and reviewed more than 3,600 complaints related to COVID-19 scams, many of which operated from websites that advertised fake vaccines and cures, operated fraudulent charity drives, delivered malware, or hosted various other types of scams.  To attract traffic, these websites often used domain names that contained words such as “covid19,” or “coronavirus.”  In some cases, the fraudulent sites purported to be run by, or affiliated with, public health organizations or agencies.

The press release provided the following examples of activities disrupted by the cooperative effort:

  • An illicit website pretending to solicit and collect donations to the American Red Cross for COVID-19 relief efforts.
  • Fraudulent websites that spoofed government programs and organizations to trick American citizens into entering personally identifiable information, including banking details.
  • Websites of legitimate companies and services that were used to facilitate the distribution or control of malicious software.

According to the press release, multiple federal agencies worked to analyze the complaints, investigate ongoing fraud, phishing, or malware schemes, and assemble vetted referrals.  Agencies sent hundreds of these referrals to the private-sector companies managing or hosting the domains.  Many of those companies, in turn, have taken down the domains after concluding that they violated their abuse policies and terms of service, without requiring legal process.  Domain registrars and registries advised the department that they have established teams to review their domains for COVID-19 related fraud and malicious activity.  Cybersecurity researchers have also made important contributions by developing sophisticated tools to identify malicious domains and refer them for mitigation.  Law enforcement is actively reviewing leads, including those referred by private firms, to verify unlawful activity and quickly pursue methods for disruption. 

The press release also noted that shortly after the IRS notified the public of web links to apply for the COVID-19 related stimulus payments, the FBI identified a number of look-alike IRS stimulus payment domains. These look-alike domains are often indicative of future phishing schemes and in order to minimize the potentialfraudulent use of these domains, the FBI alerted numerous domain registries and registrars to the existence of these look-alike URLs.

The DOJ made it clear that it will continue to collaborate with law enforcement and private sector partners to combat online COVID-19 related crime.  The DOJ is also working to provide COVID-19 related training and technical assistance in other countries through the International Computer Hacking and Intellectual Property (ICHIP) program.  In one Justice Department-supported action, a state prosecutor in Brazil took down a fake site purporting to belong to a leading Brazilian brewery.  The website publicized the distribution of free sanitizer, but in fact was infecting the computer systems of numerous Brazilian consumers with malware.  The ICHIP-mentored prosecutor further requested that the site’s U.S.-based registrar suspend it and preserve any account and transactional data linked to the site.  The investigation is ongoing, and the ICHIP continues to mentor the prosecutor remotely on this case and on best practices for engaging with U.S. registrars and providers.  Similar activities are planned in other regions with ICHIP attorneys. 
 
The DOJ provides the following tips to help protect individuals and businesses from being victimized by cyber actors:

  • Independently verify the identity of any company, charity, or individual that contacts you regarding COVID-19.
  • Check the websites and email addresses offering information, products, or services related to COVID-19.  Be aware that scammers often use addresses that differ only slightly from those belonging to the entities they are impersonating.  For example, they might use “cdc.com” or “cdc.org” instead of “cdc.gov.”
  • Be wary of unsolicited emails offering information, supplies, or treatment for COVID-19 or requesting your personal information for medical purposes.  Legitimate health authorities will not contact the public this way.
  • Do not click on links or open email attachments from unknown or unverified sources. Doing so could download a virus onto your computer or device.
  • Make sure the anti-malware and anti-virus software on your computer is operating and up-to-date.  Keep your operating system updated as well. 
  • Ignore offers for a COVID-19 vaccine, cure, or treatment.  Remember, if a vaccine becomes available, you will not hear about it for the first time through an email, online ad, or unsolicited sales pitch.
  • Check online reviews of any company offering COVID-19 products or supplies.  Avoid companies whose customers have complained about not receiving items.
  • Research any charities or crowdfunding sites soliciting donations in connection with COVID-19 before giving any donation. Remember, an organization may not be legitimate even if it uses words like “CDC” or “government” in its name or has reputable looking seals or logos on its materials.  For online resources on donating wisely, visit the Federal Trade Commission (FTC) website.
  • Be wary of any business, charity, or individual requesting payments or donations in cash, by wire transfer, gift card, or through the mail.  Do not send money through any of these channels.

If you think you are a victim of a fraud or attempted fraud involving COVID-19, call the National Center for Disaster Fraud Hotline at 1-866-720-5721 or email at disaster@leo.gov.  If it is a cyber scam, submit your complaint through https://www.ic3.gov.

To find more about Department of Justice resources and information, visit www.justice.gov/coronavirus

The Federal Trade Commission (FTC) has warned consumers about coronavirus-related scams, but businesses are at risk too. The FTC warns that companies must keep their guard up against these seven B2B scams that try to exploit concerns about COVID-19.

“Public health” scams

Fraudsters are sending messages that claim to be from the Centers for Disease Control and Prevention (CDC), World Health Organization (WHO) or other public health offices. They may ask for Social Security numbers, tax IDs, etc. Other variations direct you to click on a link or download a document. You should remind staff not to respond to messages like this – and definitely do not download anything or click on links in unsolicited email. It’s the latest form of phishing aimed at stealing confidential data or installing malware on your network.

Government check scams

You’ve seen news stories that financial help for businesses might be available soon. But remember that criminals read those headlines, too, and use them to make their phony pitches sound more credible. If someone calls or emails you out of the blue claiming there is money available from a government agency if you just make an up-front payment or provide some personal information, it’s a phony. The FTC’s checks from the government blog post offers tips on spotting those scams.

Business email scams

The FTC has previously warned companies about frauds perpetrated via business email. For example, in a CEO scam, an employee gets a message that appears to come from a company higher-up directing the person to wire money, transfer funds, send gift card codes, etc. In reality, a con artist has spoofed the boss’ email address or phone number. The economic upheaval caused by the coronavirus has led to a flurry of unusual financial transactions – expedited orders, cancelled deals, refunds, etc. That’s why an emergency request that would have raised eyebrows in the past might not set off the same alarms now. Compounding the problem is that teleworking employees can’t walk down the hall to investigate a questionable directive. Warn your staff about these scams and give them a central in-house contact where they can verify requests they may receive.

IT scams

It works like a CEO scam, but this time the call or message claims to come from a member of your technology staff asking for a password or directing the recipient to download software. These scams pose a particular problem now due to what cybercrime experts call social engineering: the dark art of manipulating human behavior to facilitate fraud. Your employees already may be distracted by changes to their routine and your tech support team is swamped. Taking advantage of this temporary “upside down-ness,” con artists may do a quick online search to glean a tidbit to really sell their story – for example, “I spoke with John, who said you were having a computer problem” or “the meeting has been shifted to our new teleconferencing platform–here’s the link.” Your best defense is a workforce warned against this form of fraud. Again, an in-house source for accurate information can help protect your company.

Supply scams

With many businesses scrambling for supplies, it’s wise to heed warnings about websites that mimic the look of well- known online retailers. They claim to have the essentials you need, but in reality, they’re fakes that take your “order,” grab your credit card number, and disappear. The safer strategy is to type in URLs you know to be genuine. And before taking a chance on an unfamiliar supplier, check them out with trusted industry colleagues.

Robocall scams

While working from home, your employees are hearing a new crop of annoying – and illegal – robocalls. It’s no surprise that fraudsters who already flout the law would try to exploit people’s COVID concerns to make a buck. Some of these tele-phonies pitch bogus test kits and sanitation supplies. Others have businesses in their sights. Curious what these calls sound like? This recording targets “small business that may be affected by the Coronavirus,” warning them to “ensure your Google listing is correctly displaying. Otherwise customers may not find you online during this time.” Remind your staff that the only right response to an illegal robocall trying to sell something is to hang up.

Data scams

The rest of us may be adjusting to new ways of working, but it’s business as usual for hackers. With more people telecommuting, hackers are hoping companies will drop their online defenses, making it easier to infiltrate data-rich networks. The FTC has tips to help your staff maintain security when working from home. Also, the National Institute of Standards and Technology (NIST) has resources on making a safer transition to a remote workplace. A good place to start: NIST’s updated Telework Cybersecurity page. Check out NIST’s infographic, Telework Security Overview & Tip Guide. Read their recent bulletin on Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions. And review their advice on Navigating the Conference Call Security Highway.

If you spot a scam, report it to the FTC. Use this special link to report possible COVID-19 frauds.