Rising cybercrime is one of the countless ramifications of the COVID-19 pandemic and similarly to the spread of the virus, it is the wider population that can help mitigate the impact of such crime. COVID-19 related cybercrime has much less to do with hooded teens slouched over RGB keyboards and more with targeted exploitation of our ever-changing vulnerabilities as the global pandemic spreads.
While the romanticized notion of a mastermind hacker has never held true outside of Hollywood, the fact that cybercrime has risen significantly since the onset of the pandemic is very much real. Many are now looking at ways to solve this issue especially when there is no single body held accountable.
The repercussions of COVID-19 on the state of worldwide cybersecurity, shows it is necessary to properly educate the wider population on contemporary cyber risks.
The Bug in the Human System – Panic and Urgency
Each day news on the latest Coronavirus statistics and findings dominate headlines, all around the world. On a more personal level we have all been flooded with emails providing some sort of information related to the virus.
Consequently, there has been a huge upsurge of phishing emails, containing COVID-19 related news stories, promises of financial aid, and guidance. Emails have impersonated the Department of Health, the CDC, and the WHO, the latter having recently had to issue a warning on criminals impersonating their organisation. While such scamming tactics are a common repercussion of widespread disasters, never before has such a large fraction of the world’s population been preoccupied with the same issue.
Not only is the pandemic used as a topic of common interest to the widest possible audience, COVID-19 is also used as a means to conduct social engineering attacks. Social engineering refers to cyberattacks that are conducted by interacting with people and manipulating them into taking actions or disclosing private information. This can typically include compromising login details or tricking targets into opening doors by downloading malware directly onto their system. The insecurity many face in the wake of the pandemic has been something scammers have been quick to exploit using urgency and personal fears as a means to gain access to information they desire. ‘Travel\Vacation’ constituting as the second most reported COVID-19 related fraud in the United States, shows just how eager many are to regain money they lost on vacations now cancelled due to travel restrictions.
Metamorphosis – The Vulnerabilities of Working from Home
Having everyone shift from working in offices where their traffic was regulated on-site by an IT team, to personal Wifi connections at home was sure to raise concern over possible cybersecurity issues.
Now that workers have remote access to company files and information, any personal login information compromised is far more valuable to hackers than it ever was before. That makes employees of a company, regardless of security clearance, a far more tempting target as they now have more access. Individuals who might not have been of interest to hackers in the past may now suddenly fall victim to cyberattacks.
This ties in with one of the biggest cybersecurity vices that existed long before the pandemic: ‘Shadow IT’. This refers to the use of outside services or applications not regulated by the company you work at. Working from home, many have resorted to cloud services, such as Google Drive or Dropbox, without clearance from their company for convenience’s sake. Others have used applications such as Teamviewer, which allows remote access to machines located elsewhere to utilise their computers at work. Such technology presents companies with potential issues they simply cannot regulate and may never know about, while the attacking surface for hackers increases.
But what if everyone complies with company policy, uses company devices and secures their remote connection through use of their company Virtual Private Network (VPN). While a VPN can help secure endpoints (where the user is accessing from) there still might be room for human error.
Just over a month ago, hackers managed to launch a ransomware attack, on the Düsseldorf University Clinic, causing the death of a patient while the network was down. The attackers used an exploit in the VPN software, which had been known to the public and patched since January. While the hospital was using a VPN to protect its data, the inability to update the VPN service despite there being a known exploit, further shows how crucial proper cybersecurity education is.
Fixing the Bug – Government-Funded Education
Why does this matter and what can the government do about this?
The World Bank predicts that millions of people in middle-income nations will fall into poverty and that COVID-19 will have a significant impact on global inequality. These cyberattacks show yet another way through which inequality may rise with those in economic hardship as a result of COVID-19 being most vulnerable to social engineering attacks.
On the business side of things, while there is existent guidance on how to securely conduct remote work, this is mainly targeted at large corporations that have dedicated cybersecurity teams. It is small and medium enterprises that will require funding and upskilling through government funded programs.
Lest we see long lasting negative consequences for individuals and smaller businesses, governments around the world best see towards upskilling their population to prepare them for COVID-19 related cyber risks.
It is necessary to properly educate society on how to protect themselves from COVID-19 related cybercrime. This is crucial, as a lack of information could lead to even more economic hardship for individuals and businesses. There is ultimately no such thing as an infinitely secure network, but one way to help secure us is by bridging the gap of asymmetric cybersecurity knowledge through widespread government funded training and awareness.
by Carlos Beaujean
Carlos is a third year International Relations student at King’s College London and Editor of the Technology & Innovation Policy Center at KTT.
Alzahrani, A. “Coronavirus Social Engineering Attacks: Issues and Recommendations.” Article. International Journal of Advanced Computer Science and Applications 11, no. 5 (2020): 154-61. https://doi.org/10.14569/IJACSA.2020.0110523.
“Beware of Criminals Pretending to Be Who.” WHO, 2020, accessed 11th October, 2020, https://www.who.int/about/communications/cyber-security.
Coden, Michael, Karalee Close, Walter Bohmayr, Kris Winkler, and Brett Thorson, “Managing the Cyber Risks of Remote Work.” Boston Consulting Group, 20th March, 2020, https://www.bcg.com/publications/2020/covid-remote-work-cyber-security.
“Ftc Covid-19 and Stimulus Reports.” Tableau Software, Updated 16th October 2020, accessed 18th October, 2020, https://public.tableau.com/profile/federal.trade.commission#!/vizhome/COVID-19andStimulusReports/Map.
Eddy, Melissa, and Nicole Perlroth. “Cyber Attack Suspected in German Woman’s Death.” The New York Times, 18th September 2020. https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html.
Marks, Joseph. “The Cybersecurity 202: Coronavirus Crisis Spawned More Scams Than Any Other Event in the Last Decade.” The Washington Post, 24th August 2020. https://www.washingtonpost.com/politics/2020/08/24/cybersecurity-202-coronavirus-crisis-spawned-more-scams-than-any-other-event-last-decade/.
Naidoo, Rennie. “A Multi-Level Influence Model of Covid-19 Themed Cybercrime.” European Journal of Information Systems 29, no. 3 (2020/05/03 2020): 306-21. https://doi.org/10.1080/0960085X.2020.1771222.
Singh, Param, “Shadow It in the ‘Age of Coronavirus’.” BetaNews, 2020, https://betanews.com/2020/08/19/shadow-it-age-of-coronavirus/.
Tett, Gillan. “Why Covid-19 Is a Gift for Cyber Criminals.” Financial Times, 15th July 2020. https://www.ft.com/content/935a9004-0aa5-47a2-897a-2fe173116cc9.Wheatley, Jonathan. “Covid-19 Will Push Millions in Middle-Income Nations into Poverty, Warns World Bank.” Financial Times, 7th October 2020. https://www.ft.com/content/2a41fa8b-e5d1-4102-b14f-7ec5820a5d7d.