Global menu

Our global pages

Close

Coronavirus - Increase in Cyber-Attacks during COVID-19: How does your business protect itself against phishing attacks? - Ireland

  • Ireland
  • General

18-05-2020

COVID-19 has created a significant amount of change to our daily lives and how we work.These changes have in turn created increased cybersecurity risks for many organisations around the world. This is particularly relevant in recent times as many organisations have moved to remote working, including many organisations who were not fully prepared for such a move.

The threat of cyber-attacks have been echoed by many authorities, including the Garda Síochána. In this note we consider the measures recommended by the EU’s Agency for Cybersecurity (ENISA). In addition to the general recommendations made by ENISA, ENISA has also commented on the fact that it has seen huge increase in ‘phishing’ attacks’ during this time. These risks warrant attention by organisations as they could lead to potential adverse legal, financial and reputational consequences for organisations, on top of trying to deal with a global pandemic.

What is a phishing attack?

Phishing attacks are fraudulent procedures to induce users to reveal confidential information (e.g. bank and credit card details). It is important to note that the loss of confidential information through a phishing attack may result in a loss of personal data which would constitute a data breach of the EU General Data Protection Regulation (GDPR), as will be discussed further below.

In order to carry out a phishing attack, cyber criminals typically send emails or messages that appear to come from a legitimate source such as a bank, well-known e-commerce provider or government institution. These messages regularly contain links or attachments that the user is asked/encouraged to open. These links or attachments then redirect the user to a manipulated website which is designed to retrieve the confidential information.

Unfortunately, the authenticity of these messages are becoming increasingly difficult to determine, leading more users to be deceived and reveal confidential information. In the case of access data, entire systems can be compromised and, as such, it is critical that organisations seek to minimise the risk of these types of attacks happening.

While it is common for individuals to fall for phishing, it is important to remember that it is not uncommon for organisations themselves to also become victims of phishing attacks. Most recently, for example, an email allegedly originating from the World Health Organisation (WHO) had been sent to several organisations claiming it had compiled a free e-book on important COVID-19 protection measures and the free e-book was attached to the email as a zip file. It transpired that this was nothing other than a sophisticated phishing attack and the WHO also confirmed that it did not issue such an email.

Incoming emails can be identified as phishing emails if any of the following apply:

  • Does the e-mail come from a fake email address?
  • Is confidential data requested?
  • Is urgent need for action feigned?
  • Does the email contain a link to fake websites?
  • Is the email characterised by linguistic inaccuracies (eg impersonal salutations) and spelling mistakes?

Why should you care?

Binding or non-binding?

The guidance from the ENISA is non-binding. However, data protection authorities may consider their recommendations as a best practice when preparing for and responding to phishing attacks.The potential adverse legal, financial and reputational consequences for organisations are too great to ignore.

Consequences in case of non-compliance?

Data protection authorities may impose fines of up to €20 million or 4% of annual turnover under Articles 83 and 84 of the GDPR. Data subjects may claim compensation under Article 82 of the GDPR. From an EU perspective, it is unclear whether competitors may send cease-and-desist letters. Companies may also face indirect costs such as damage of reputation or management costs.

How actively enforced?

So far, the level of enforcement efforts against phishing attacks has been low.

Any examples of other companies experiencing non-compliance issues?

Whereas there has been a high number of companies experiencing non-compliance issues with regard to data security in general, there do not appear to be any cases specifically relating to phishing attacks.

What should you do now?

Several national authorities (including the Irish Data Protection Commission) have published recommendations on precautionary measures, which include the following:

• Under no circumstances should anyone click on links in dubious emails. If unsure, an attempt should be made to reach the page mentioned in the suspect email via the homepage of the organisation concerned (i.e., without clicking and typing the link address directly into a browser).

• If it is possible that an email legitimately asks for confidential data, contact the provider mentioned via telephone.

• Under no circumstances should parties disclose personal information such as passwords, credit card or transaction numbers via email. This is not the policy of reputable senders and has been continuously stated by financial institutions.

• Do not use download links contained in emails unless it is clear that there is no danger deriving therefrom. For a download, visit the provider's homepage directly and start the download there.

• Handle personal data with care. If anything seems dubious, immediately break off the connection and contact the website operator.

• Never open any attachments of a suspicious email.

• Regularly check the turnover and balance of bank accounts. Contact banks immediately in case of anomalies.

• Be careful not to disclose personal data on websites with an unencrypted connection (i.e., it has 'https://' in the address line and the padlock symbol next to the browser's address line).

• Make sure that antivirus software is up to date and firewalls are activated.

If companies or employees have been the victim of a successful phishing attack, they must immediately take protective measures to restore data security. In addition, they must immediately check whether the security incident constitutes a reportable 'data breach' within the meaning of Article 33 of the GDPR and whether the responsible data protection supervisory authority must be informed within 72 hours.

For further information on this topic please contact:

Marie McGinley, Partner and Head of IP, Technology & DP - mariemcginley@eversheds-sutherland.ie

Neasa Ní Ghráda, Senior Associate in IP, Technology & DP - neasanighrada@eversheds-sutherland.ie

Kirsty Farrell, Solicitor in IP, Technology & DP - kirstyfarrell@eversheds-sutherland.ie

For support on legal issues facing your business in light of the outbreak of Covid-19, please visit our Coronavirus hub to get our latest information and guidance.

Disclaimer

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.

< Go back

Print Friendly and PDF
Register to receive regular updates via email.