It is estimated that by 2021 cybercrime will cost the world $6 trillion annually1, and while Covid-19 is not the only factor contributing to that figure, the pandemic has created the perfect hotbed for increased cybercriminal activity. In March 2020 alone there was a 600% increase in Covid related phishing emails2. In the light of Covid-19, it is important that both individuals and organisations are aware of the way threats may present themselves and ensure necessary steps are taken to prevent falling victim to these attacks.
What is unique about the pandemic that makes cybercrime so rife?
Prolonged periods of isolation and uncertainty concerning the future has led to widespread feeling of stress and anxiety, making individuals particularly susceptible to cybercrime. Cybercriminals know this and seek to exploit these vulnerabilities in the form of opportunistic and untargeted attacks.
Furthermore, businesses have had to rapidly react to changing circumstances and for the sake of business continuity it is likely that assets have been left less protected than usual and the safeguards that would have otherwise been in place may have been compromised.
Examples of cybercriminal attacks during the pandemic
Perpetrators have registered fake domains using words such as 'corona', 'covid19' and 'coronavirus'3 with the aim of convincing individuals that they are engaging with legitimate government organisations and recognised public national and international organisations like the World Health Organisation. These fake accounts were used to convince individuals to perform actions presenting itself as providing useful information and providing users the opportunity to donate to help the cause. Cybercriminals also use global news and trends of the virus to send phishing emails and/or text messages. In some cases, they shared malicious web links where individuals would then input their personal information and become subject to financial fraud.
There have also been a number of malicious websites that have been used to install malware which can extract data and cause disruption to services. One of the most notable examples from the pandemic was malware that was installed to a copy of the map released by John Hopkins University to track the expansion of the virus globally. Once downloaded the malware gained remote access to users' systems and device including for example videos, photos and location data. In order to regain access, victims would need to pay the perpetrators, and this would typically be in the form of bitcoins4 which are of course designed to be untraceable.
Key takeaways for organisations
In light of the above, organisations and businesses need to be proactive in putting in place procedures aimed at the protection of personal data and implement cybersecurity measures at all levels, beyond what may have previously been the case pre-Covid. It is important to stress that cybersecurity breaches would in most cases result in a personal data breach5 under the General Data Protection Regulation 2016/679 ("GDPR"), which may trigger notification either to the data protection authority or affected individuals, depending on severity.
Organisations should implement effective breach notification procedures to handle these risks as well as maintaining a breach register to record both notifiable and non-notifiable breaches.
It is also important to consider having appropriate and robust technical and organisation measures in place, which should seek to take account of state of art technology and related costs both at the design phase and also at the point of processing data. Organisations may consider practical steps such as having layered authentication, having in place anti-virus software, a process of managing incidents to try and regain control of data in the various processing streams. Another key step is by increasing staff training, raising awareness of cybercrime and educating on key cybersecurity concepts such as the importance of strong passwords, access controls and training on how to identify suspicious online and digital content can all help prevent individuals and the orgnaisation falling victim to cybercrime.
1. Cybersecurity Ventures, .
2. In its Q1 2020 Top-Clicked Phishing Report, security firm KnowBe4 revealed that phishing email attacks related to COVID-19 increased by 600% in the first quarter of the year. https://blog.knowbe4.com/q1-2020-coronavirus-related-phishing-email-attacks-are-up-600
3. On 3 April 2020, the European Union Agency for Law Enforcement Cooperation (Europol) published a report on the impact of the COVID-19 pandemic on the cybercrime which refers to domain names at the forefront of a significant number of attacks.
4. More information about this can be found in the following article https://krebsonsecurity.com/2020/03/live-coronavirus-map-used-to-spread-malware/. The original map and coronavirus resource centre is available here: https://coronavirus.jhu.edu/map.html.
5. Art. 4 GDPR defines personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.