Cyberthreats are constantly evolving to take advantage of online behaviour and trends.
The global COVID-19 pandemic that hit every corner of the world forced us to reimagine our societies and reinvent the way we work and live. During the lockdown, we turned to the internet for a sense of normality: shopping, working and learning online at a scale never seen before.
Although the COVID-19 crisis showed us how criminals actively take advantage of society at its most vulnerable, this opportunistic behaviour of criminals should not overshadow the overall threat landscape. In many cases, COVID-19 has enhanced existing problems.
Social engineering and phishing remain effective threats to enable other types of cybercrime. Criminals use innovative methods to increase the volume and sophistication of their attacks, and inexperienced cybercriminals can carry out phishing campaigns more easily through crime as a service. Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19.
In 2020, the FBI saw 791,790 suspected Internet crimes, an increase of more than 300,000 compared to 2019. The top three crimes were, phishing scams, non-payment/non-delivery scams and extortion. The FBI says losses related to those crimes totalled more than $4.2 billion (£3.12 million). Between March 2020 to May 2021, the number of Internet crime complaints jumped from 5 million in 2017 to 6 million in 2020.
The UK’s cybersecurity agency had taken down more scams in 2021 than in the previous three years combined, with COVID-19 and NHS-themed cybercrime fuelling the increase. Seeing a rise in the removal of online campaigns compared with 2019, according to the National Cyber Security Centre (NCSC). There was a jump in the number of phishing attacks using NHS branding to dupe victims, with the COVID-19 vaccine rollout used as a lure via email and text message to harvest people’s personal information for fraud. Forty-three fake NHS COVID-19 apps hosted outside of official app stores were also pulled.
However, HM Revenue & Customs (HMRC) remains the most copied brand used by fraudsters, totalling more than 4,000 campaigns, followed by the government’s gov.uk website, and TV Licensing. Overall, more than 700,500 campaigns were taken down, accounting for 1,448,214 URLs, the NCSC’s fourth active cyber defence report revealed.
The restrictions imposed by governments in response to the coronavirus pandemic have encouraged employees to work from home, and even ‘stay at home’. Consequently, technology has become even more important in both our working and personal lives. Despite this rise of technology need, it is noticeable that many organisations still do not provide a ’cyber-safe’ remote-working environment. Where business meetings have traditionally been held in-person, most now take place virtually.
The increase in remote working calls for a greater focus on cybersecurity, because of the greater exposure to cyber risk, where 47% of individuals fall for a phishing scam while working at home. Cyber-attackers see the pandemic as an opportunity to step up their criminal activities by exploiting the vulnerability of employees working from home and capitalizing on people’s strong interest in coronavirus-related news (e.g. malicious fake COVID-19 related websites). Another important consideration is that the average cost of a data breach resulting from remote working can be as much as $137,000 (£101,000).
Between February and May 2020 more than half a million people globally were affected by breaches in which the personal data of video conferencing users was stolen and sold on the dark web. Additionally, the City of London Police reported that since January 2020 more than £11 million ($14.81 million) have been lost due to COVID-19 scams.
Employees working from home and organisations should implement essential cyber-secure practices, which include:
Areas that cyber teams can employ for high level cyber secure practices: