The explosion of cyber attacks and online fraud enabled by COVID-19 and the rapid (and, in some cases, haphazard) deployment of a global remote work force have pushed agencies responsible for consumer and citizen protection into higher gear. Their approaches have ranged from passive postings to aggressive countermeasures, according their differing resources and mandates.
The Canadian Centre for Cyber Security ("CCCS") recently published a new Bulletin detailing how the ongoing COVID-19 pandemic has affected cyber threat activity.
The CCCS found that, as of late-April 2020, over 120,000 new domains had been registered with some type of COVID-19 theme, a large proportion of which the CCCS considered to be malicious or related to fraudulent activity. There are also SMS phishing campaigns operating, claiming to be notices from governmental authorities of emergency relief. These are operations specifically geared to leverage the anxiety and uncertainty the pandemic has generated.
In total, the CCCS makes seven key conclusions:
- Malicious cyber actors were using the pandemic as a hook or pretense in communications designed to execute cybercrime or cyberespionage;
- The health sector had increased exposure and sensitivity to ransomware attacks as the health-related services remainder under extreme pressure while dealing with the pandemic;
- Cyberespionage efforts would likely focus more on stealing intellectual property relating to COVID-19, as well as intelligence about the government responses to the pandemic;
- State-sponsored cyber threats might suffer a short-term reduction in staffing as governments refocused priorities, but this could give way to a long-term increase in focus on digital espionage as travel restrictions and social distancing protocols hinder more traditional methods;
- Misinformation and influencer campaigns designed to erode trust in official statements continue, increasing the risk of hampering public health responses, as well as increasing the milieu of public anxiety that can make executing cyber threats more effective;
- The increase in remote working will create more targets for malicious cyber actors to exploit, taking advantage of the likelihood that local networks will not be hardened to attacks to the same degree that a workplace can be; and
- Authoritarian regimes will likely take advantage of the pandemic to justify and deploy surveillance technologies on its populace, which could affect expatriates and Canadians working and living abroad.
The CCCS is supplementing its reports with more actionable materials and, in some cases, action by the CCCS itself:
- CCCS publishes alerts and advisories—often several times a day—on "potential, imminent or actual cyber threats, vulnerabilities or incidents affecting Canada's critical infrastructure."
- It regularly posts short, consumer and small business-friendly pieces such as "Have You Been Hacked?," "Secure Your Accounts and Devices With Multi-Factor Authentication" and "Security Considerations for Mobile Device Deployments."
- Anecdotally, we can also report that CCCS is reaching out to directly (and confidentially) to Canadian businesses it learns have been compromised, to offer assistance and resources.
The Financial Transactions and Reports Analysis Centre (FINTRAC) recently issued a Special Bulletin reporting COVID-19-related trends in money laundering and fraud. The bulletin identifies and measures various types of fraud, including phishing scams in which criminals "pretending to be linked to Employment Insurance benefits, Canada Emergency Response Benefit (CERB), the Public Health Agency of Canada or other businesses" lure victims with texts and emails soliciting financial information or containing malware.
In the U.S., the Federal Bureau of Investigation has warned of fake emails from the Centers for Disease Control and Prevention (CDC) purporting to provide information on COVID-19. It has also warned of a rise in phishing emails, counterfeit treatments or equipment for pandemic preparedness. Meanwhile, the Federal Trade Commission (FTC) has released a general overview of the steps that it is taking to combat scams related to COVID-19 and provided a specific list of seven types of COVID-19 scams that are targeting businesses:
- "Public health" scams: The online attackers send messages that claim to be from the CDC, World Health Organization (WHO), or other public health offices. They may ask for Social Security numbers, tax IDs, etc. or a link or download a document.
- Government check scams: Cybercriminals are calling and emailing out of the blue claiming there's money available from a government agency if you just make an up-front payment or provide some personal information.
- Business email compromise (BEC) attacks: Where your employee gets a message that appears to come from a higher-up in the company directing the employee to wire money, transfer funds, send gift card codes, etc. This problem is compounded by teleworking employees as they are unable to walk down the hall to verify a questionable directive.
- IT scams: The attacker calls or messages the employee claiming to come from the technology staff at the company asking for a password or directing the recipient to download certain software.
- Supply scams: Scammers design websites that mimic the look of well-known online retailers and claim to have the essentials.
- Robocall scams: There is a new cop of illegal calls where employees are pitched bogus test kits and sanitation supplies. This recording particular targets "small business who may be affected by the Coronavirus," warning them to "ensure your Google listing is correctly displaying otherwise customers may not find you online during this time."
- Data scams: Malicious cyber actors are taking advantage of the mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software. Potential vulnerabilities due to remote working and usage of personal networks and devices have allowed hackers to infiltrate data-rich networks.
In addition to its in-depth, pieces, the FTC issues email alerts, often several per week, alerting consumers and businesses about emerging threats and scams, as well as the results of FTC investigations.
Britain and the World
A number of international bodies have made similar efforts, highlighting many of the same risks, and taking arguably more aggressive stances against the wave of illicit activity:
- The World Health Organisation has released guidelines, instructing people to be aware that cybercriminals are attempting to impersonate trusted health authorities across the globe. It has warned the public that cybercriminals send fraudulent emails as well as messages on forums like WhatsApp in relation to COVID-19.
- The EU Commissioner for Justice and Consumers, following the common position endorsed by the CPC network, made a call to action by reaching out to various social media and technology companies requiring their cooperation in removing scams from their platforms. The companies responded to the Commissioner with a positive affirmation of call to action by extending their support in the prevention of cybercrime.
- In Europe, the EU Agency for Cybersecurity (ENISA) has also warned of a widespread increase in so-called 'phishing attacks'. In the UK alone, fraudsters exploiting COVID-19 fears have scammed £2m.
- To deal with the ubiquitous issue of online frauds related to the COVID-19 pandemic, the European Commission and Member State consumer protection authorities have launched a number of joint measures. On March 20, 2020, the Consumer Protection Cooperation Network authorities of the Member States, with the support of the Commission issued a common position on the most reported scams and unfair practices. The goal of this initiative is to raise awareness and assist online platforms in identifying illegal practices, take them down and prevent their resurgence.
- The Computer Emergency Response Team for the EU institutions, bodies and agencies (CERT-EU) has undertaken the necessary measures to assess the cyber aspects of the COVID-19 pandemic. A plan has been devised by CERT-EU, in the form of various Security Guidelines, to address any potential threat to EU Institutions, bodies and agencies in the realm of cyber security. The CERT-EU Security Guidelines aim to highlight the various elements of the plan and also provide a series of recommendations.
- Great Britain's National Cyber Security Centre (NCSC) and the United States Cybersecurity and Infrastructure Security Agency (CISA, part of the Department of Homeland Security) and issued a joint alert. The joint alert highlights ongoing activity by advanced persistent threat (APT) groups against organizations involved in both national and international COVID-19 responses. The primary targets are healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.
Is it working?
It's difficult to assess the extent to which these actions are affecting the overall picture. Some studies suggest that cyber attacks peaked in March and began trailing off—long before many of the advisories and actions we describe above. Microsoft attributes the decline, at least in part, to a successful game of catch-up by IT professionals to harden companies' defences. Nonetheless, 12 million attacks are still occurring daily, an increase of 20% over February 2020. So the threat remains constant. One assumes that all this activity by various global agencies is at least raising the median level of threat awareness and consumer and business sophistication. This is surely a positive development, which future studies will presumably quantify.
Note: Developments in the COVID-19-related malicious cyber activity are rapidly changing. We recommend all individuals and organizations to remain vigilant and take proactive steps to protect themselves. Our dedicated Cyber security and Privacy Team is available to assist your business and employees with COVID-19-related questions.
 The Consumer Protection Cooperation (CPC) network consists of authorities responsible for enforcing EU consumer protection laws to protect consumers' interests in EU and EEA countries.