While crime rates in the UK have dropped by more than 20%, cybercrime seems to be on the rise. Phishing related attacks are up by a staggering 667% compared to pre-pandemic February, and more than £2M has been reported lost by victims of Coronavirus-related scams. Despite common belief, not all cybercriminals are technology wizards who spend their days in a basement hacking into government servers. Some use simple tricks and social engineering, which hardly require technical expertise.
Cybercriminals are learning fast and are already actively using the COVID-19 themes to lure their victims. The scams vary from fraudulent WhatsApp messages from the supermarkets giving free vouchers to emails offering HMRC tax refunds or asking for NHS donations.
Let us explore the most common threats:
- Malicious domains. There are many registered domains on the Internet that contain words such as "coronavirus" and "covid19". Most are not legitimate and are used in spam campaigns, phishing, or to spread malware.
- Malware, spyware and trojans are often embedded in interactive coronavirus maps and websites. Spam emails, social media, and even text messages have been tricking users into clicking on links that download malware to their computers or mobile devices or direct them to malicious domain.
- Ransomware is a type of malicious software that criminals use to encrypt your data denying access until a ransom is paid, usually to a BitCoin account. You can even find Ransomware on the dark web as a ransomware-as-a-service product. This type of attacks often target large organisations (remember the NHS WannaCry attack in 2017?).
- Sextortion is a type of phishing scam where victims are threatened to post intimate photos or videos on social media and blackmailed for money. Action Fraud reported almost 9.5K victims of sextortion scam in April this year.
The best defence against cyberattacks is knowledge! Learning about how they operate will make it easier to spot suspicious activity and prevent potential damage. The government has set up a virtual cybersecurity school for teens where they can learn how to crack codes, fix security flaws and track criminal digital trails. The training is fun, interactive and comes in the shape of a game. It is intended to inspire youngsters to work in the cyber security sector and is a "part of plans to make sure the country develops the next generation of professional cyber defenders" (GOV.UK).
There are a few guidelines which we regularly share with our staff:Backup of your files using secure cloud-based tools.
At Infomentum, we leverage SaaS products to store all types of content, including programming code, data, unstructured content or documents. We use several cloud-based secure repositories, like Confluence, Jira, Google Drive, Git, which our staff access using their corporate accounts.
Use strong passwords.
Use passwords that are 8-15 characters long and have a combination of letters, numbers and special characters. Avoid common substitutions (e.g. P@ssw0rd!) and dictionary words. Also, avoid using the same password for all systems.
Watch for suspicious messages.
Avoid opening suspiciously looking emails or text messages; delete them immediately.
Be aware of fake URL links.
Always verify from a secure and known source if a link is genuine. If you receive a suspicious email or a text message asking you to click a link, always go online and search for information on the message you have received. Do not try to copy the URL to use in your search as you might end up clicking it by accident.
Update software & IoT devices.
Always keep all your software updated; not just your mobiles and laptop, but also home devices connected to your network (smart TV, game consoles, voice assistants, smart doorbells etc). Check with the manufacturer how to update your IoT devices' firmware.
Strengthen home network security.
Make sure the firmware of your WiFi router is up to date, change the manufacturer's passwords to set you own. WiFi routers broadcast their names (SSID) by default, so prevent hacking by altering your router settings to rename or hide your WiFi identifier. Turn off features like the Universal Plug & Play ("UPnP") on your WiFi router and IoT devices to enhance their security. Also, don't forget to change the default passwords on all your IoT devices!
Secure social media presence.
Manage your social media profiles and regularly check your privacy and security settings. You can find some guidance here.
Always be as sceptical online as you would be offline.
Educate friends & family.
Teach those around you about online dangers and how they can protect themselves. Have an open conversation with your children about potential risks, discuss if they think anything is suspicious. Share this information with parents and older relatives as they often become victims of cybercrimes.