The new reality is that the novel coronavirus (COVID-19) is currently affecting, and complicates, all aspects of people’s lives. 

Construction projects are not immune to this disruption. New protocols for disinfecting machinery and tools, as well as an increased number of hand washing stations at project sites are just a few changes construction companies have made to address COVID-19. All these efforts are critical to keeping everyone safe on construction sites.

However, when people are looking for ways to avoid face to face contact, computers and project servers are more important than ever. Unfortunately, the shift to remote work also provides hackers more ways to infiltrate networks and take advantage of nervous and distracted staff. Cyber criminals understand this and have significantly increased the number and complexity of their cyber- attacks.

To help employees, and the stretched-thin IT staff avoid a cyber-attack, here are some of the more recent social engineering, phishing, data security and ransom ware attacks that have arisen around COVID-19:

• Cyber criminals are now sending more and more coronavirus-themed phishing emails. In February, the data security company Trustwave released a report with screenshots of emails sent by hackers posing as the Centers for Disease Control and Prevention and the World Health Organization, asking people to click on phony links for more information about the virus.
• Cyber criminals are also sending out emails that create a false sense of urgency, asking users to immediately click on a link regarding new company policies, new state or local government policies, new working hours and/or new safety procedures that must be implemented “right away.” 
• Other cyber-criminals are also trying to get their target to open an attachment by promising new information on anti-virals and other drugs and vaccines to treat COVID-19.
• Cyber criminals have also posed as employees of the Red Cross or other major relief agencies asking for a donation or to click on a list of urgent needs (such as gowns and masks) in certain area hospitals. Be wary of these requests, especially a request for a donation through a gift card or the use of personal banking information.
• Other cyber criminals pose as health researchers from the government asking people to input their personal health information. Legitimate authorities will never approach anyone that way. 
• Others have launched an email scam falsely offering a file containing information from the World Health Organization on protecting children and businesses from the virus. When downloaded, the file loads malicious software that can steal web browsing data and track everything that its victims’ type. A malicious app detailed by Zscaler promised to show users when someone infected with COVID-19 was nearby. Instead, it infected users' phones with ransomware.
• Others focus on testing and treatment, selling fake at-home test kits or going door-to-door performing fake tests for money or selling on-line fake cures, vaccines or advice on unproven treatments.
• Others are creating fake shops, websites, social media accounts and email addresses claiming to sell medical supplies currently in high demand, such as surgical masks. When consumers attempt to purchase supplies through these channels, fraudsters pocket the money and never provide the promised supplies.
• Others are contacting people by phone and email, pretending to be doctors and hospitals that have treated a friend or relative for COVID-19, and demanding payment for that treatment.
• In addition to the mounting attacks, more people are registering new web domains that reference COVID-19 or the novel coronavirus in their domain names, as well as registering more security certificates, according to Zscaler and Sophos Labs. While some of this activity may be real, a large part will be hackers trying to set up legitimate-looking websites to which they can lure unsuspecting visitors.
• Because cyber criminals are counting on a rise of distracted employees working remotely, there has also been an uptick in “invoice manipulation” or "business email compromise" attacks, in which hackers use a variety of methods to dupe workers into sending wire transfers to cybercriminals, posing as one of their colleagues or their boss, often by using "spoofed" copies of a colleague or supervisor’s company email addresses.

Cyber security firms have stated that the new COVID-19 attacks are the largest surge in malware attack types they’ve seen in years, if ever, that have been united by one single theme.

To help combat this substantial uptick in cyber threats, cyber hygiene should be practiced by each and every user. Cyber hygiene is a reference to the practices and steps that users of computers and other devices take to maintain system health and improve online security. These practices are often part of a routine to ensure the safety of personally identifiable information and other details that could be stolen or corrupted. Much like physical hygiene, cyber hygiene is regularly conducted to ward off natural deterioration and common threats. Specifically, construction companies should implement the following hygiene/ safeguards to help stave off the recent increase in cyber-attacks and cyber viruses:

• Never open any attachments, especially ones that are COVID-19 related until the sender/ source is verified. If the source cannot be verified, DO NOT click on it—send it to IT staff for review. 
• Even if the email is sent from a known user, check the sender’s email address (hover over it with the mouse). Is it spelled wrong or is it one letter off? Check whether other important information is off or whether the grammar is incorrect. These are signs of a social engineering/phishing email.
• Always be wary if the email contains either a link or attachment that asks that credentials be entered. This is a clear way for cyber criminals obtain log on credentials. The use of multi-factor authentication can further combat this because, even if the username and password have been compromised, the hackers still need to get through to a next or added layer of security. 
• Provide online cyber-awareness training to ALL company employees, focusing especially on those working remotely, those in accounting and those in Human Resources. This training will help each and every employee identify, and hopefully deter, them from clicking on malicious links or from entering their credentials at fraudulent sites.
• Since remote working is now required in some areas, construction companies will be forced to make required payments by wire. Before sending a wire, especially one in which the banking information has recently changed—verify the receiver through someone known or someone whose credentials can be verified on the other end of the transaction. Some construction companies also use a “color of the week” to act as a code that only the sender and receiver knows. This also helps cut down on intercepts of wire transfers.
• Before sending any payment through a source other than a wire, investigate the company before sending the payment by checking with the Federal Trade Commission or the state’s attorney general’s anti-fraud office.
• Be sure that the IT department is “up to snuff” in that they are consistently patching the IT system, segmenting the system into silos, implementing robust fire walls and anti-virus programs, implementing a password management policy, employing multi-factor authentication, updating the operating system, ensuring all employees have a secure connection, and encrypting data both in transit and at rest. Many of the above are becoming mandatory requirements, especially for those contractors (and their subcontractors) that perform federal construction work.
• Ensuring that any physical or hard copy records that are removed from the main office (especially those that are confidential) are being tracked and a security protocol is put in place.

COVID-19 is the great equalizer because no one is immune. The same goes for computer hackers and computer viruses—no system is completely immune from such attacks or attempts to hack. Thus, (as a person would with COVID-19), increase the company’s awareness of its virtual environment and surroundings and take the necessary precautions.

As Ben Franklin was fond of saying “an ounce of prevention is worth a pound of cure,” especially when no cure exists for the current viruses attacking the company.