The rise of cyber-crime since COVID-19

Cyberthreats are constantly evolving to take advantage of online behaviour and trends.

The global COVID-19 pandemic that hit every corner of the world forced us to reimagine our societies and reinvent the way we work and live. During the lockdown, we turned to the internet for a sense of normality: shopping, working and learning online at a scale never seen before.

Although the COVID-19 crisis showed us how criminals actively take advantage of society at its most vulnerable, this opportunistic behaviour of criminals should not overshadow the overall threat landscape. In many cases, COVID-19 has enhanced existing problems.

COVID-19 Crime

Social engineering and phishing remain effective threats to enable other types of cybercrime. Criminals use innovative methods to increase the volume and sophistication of their attacks, and inexperienced cybercriminals can carry out phishing campaigns more easily through crime as a service. Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19.

In 2020, the FBI saw 791,790 suspected Internet crimes, an increase of more than 300,000 compared to 2019. The top three crimes were, phishing scams, non-payment/non-delivery scams and extortion. The FBI says losses related to those crimes totalled more than $4.2 billion (£3.12 million). Between March 2020 to May 2021, the number of Internet crime complaints jumped from 5 million in 2017 to 6 million in 2020.

The UK’s cybersecurity agency had taken down more scams in 2021 than in the previous three years combined, with COVID-19 and NHS-themed cybercrime fuelling the increase. Seeing a rise in the removal of online campaigns compared with 2019, according to the National Cyber Security Centre (NCSC). There was a jump in the number of phishing attacks using NHS branding to dupe victims, with the COVID-19 vaccine rollout used as a lure via email and text message to harvest people’s personal information for fraud. Forty-three fake NHS COVID-19 apps hosted outside of official app stores were also pulled.

However, HM Revenue & Customs (HMRC) remains the most copied brand used by fraudsters, totalling more than 4,000 campaigns, followed by the government’s gov.uk website, and TV Licensing. Overall, more than 700,500 campaigns were taken down, accounting for 1,448,214 URLs, the NCSC’s fourth active cyber defence report revealed.

Impact of COVID-19 on digital working and cybersecurity

The restrictions imposed by governments in response to the coronavirus pandemic have encouraged employees to work from home, and even ‘stay at home’. Consequently, technology has become even more important in both our working and personal lives. Despite this rise of technology need, it is noticeable that many organisations still do not provide a ’cyber-safe’ remote-working environment. Where business meetings have traditionally been held in-person, most now take place virtually.

The increase in remote working calls for a greater focus on cybersecurity, because of the greater exposure to cyber risk, where 47% of individuals fall for a phishing scam while working at home. Cyber-attackers see the pandemic as an opportunity to step up their criminal activities by exploiting the vulnerability of employees working from home and capitalizing on people’s strong interest in coronavirus-related news (e.g. malicious fake COVID-19 related websites). Another important consideration is that the average cost of a data breach resulting from remote working can be as much as $137,000 (£101,000).

Between February and May 2020 more than half a million people globally were affected by breaches in which the personal data of video conferencing users was stolen and sold on the dark web. Additionally, the City of London Police reported that since January 2020 more than £11 million ($14.81 million) have been lost due to COVID-19 scams.

Subscribe To Our Newsletter

Best practices to employ

Employees working from home and organisations should implement essential cyber-secure practices, which include:

    • Antivirus protection – employees should be provided with a license to antivirus and malware software for use on their personal computers to eliminate low-level attacks
    • Cybersecurity awareness – employees should be briefed on best practices and procedures to regulate the sending of emails or other content to private email addresses and/or cloud storage
    • Phishing awareness – employees to be vigilant when receiving emails and should check the authenticity of the sender’s address
    • Home network security – employees to ensure that their home Wi-Fi is protected by a strong password
    • VPN – VPN add a further layer of protection to internet use from home. They cannot on their own be relied upon to prevent cyberattacks, but they can be a useful barrier against cyberattack
    • Identify weak spots – all systems have weaknesses, organisations should run tests to identify them and patch the most critical vulnerabilities as soon as possible. This can take the form of vulnerability scanning or various type of penetration testing exercises
    • Frequent reviews – Organisations to regularly evaluate cybersecurity risk exposure and determine whether existing controls are robust enough. Any new forms of cyberattack that have appeared recently should be considered during these reviews
    • Renew business continuity and crisis plans – managers need to keep their business continuity plans updated and consider cyberattack scenarios.

Areas that cyber teams can employ for high level cyber secure practices:

    • Zero Trust – CISOs and CIOs should consider implementing a zero-trust approach to cybersecurity. This is a security model where only authenticated and authorized users and devices are permitted access to applications and data. It challenges the concept of “access granted by default”
    • Risk management – organisations can apply governance, risk and compliance (GRC) solutions for improved risk management. GRC solutions provide a detailed view of the company’s risk exposure and help link together the various risk disciplines.