The U.K.’s growing panic about the spread of coronavirus has created an open season for fraudsters, with government agencies and cybersecurity companies reporting unprecedented levels of criminal activity since the virus began sweeping across the globe in January.
With anxiety levels rising amid lockdowns and daily reports of the increasing death rate, organized criminal gangs have moved to systematically exploit the widespread paranoia with a variety of sophisticated campaigns. These range from phishing emails purporting to be official organizations such as the U.K. National Health Service (NHS), to fake COVID-19 tracking apps and social media plugins which install malware on the victim’s phone or computer.
According to the National Fraud Intelligence Bureau, by the end of March, total losses to such scams reached nearly £970,000. Global cyber security firm Proofpoint, which has its European headquarters in the U.K., explains that there has been a sharp rise in fraud attempts over the past couple of months as criminals recognize the unique opportunities presented by COVID-19.
“Everyone is interested in COVID-19 information because it affects all of us, and so this is the first time these attackers have had a target base that is in an emotionally and psychologically fragile state across the board,” said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. “Currently we see 140 different types of scam campaigns a day, while typically that’s around 25. It’s significantly higher than we’ve dealt with before.”
According to Proofpoint, criminals will send hundreds of thousands of phishing emails at any one time. Around 70% look to deliver some form of malware such as a Trojan to steal the victim’s passwords, through impersonating and copying messages sent by a company to its employees or trusted official bodies such as the World Health Organization.
“One of the most common ploys is emails which say, click here for a list of people who are infected with COVID-19,” said DeGrippo. “Or click here for information about a new vaccine, or an important update about what we’re doing to deal with this threat. And once they have your password, they can make money by either selling it as part of a package to other criminal groups, or using it to log into other services where they hope you’ve reused that password in the past.”
The National Fraud Intelligence Bureau is urging the public to remain vigilant about such scams.
“Criminals are able to use spoofing technology to send texts and emails impersonating organizations that you know and trust,” said Superintendent Sanjay Andersen. “We would remind anyone who receives an unexpected text or email asking for personal or financial details not click on the links or attachments, and don’t respond to any messages that ask for your personal or financial details.”
These scams are continuously evolving in response to the changing news cycle. In recent weeks, many have taken advantage of public goodwill towards health care workers by impersonating the NHS, and encouraging recipients to make a donation towards the doctors and nurses fighting the pandemic. Some fraudsters have even capitalized on the rise of conspiracy theories regarding the virus, by driving people to websites which pretend to offer secret information on how to survive the outbreak in return for payment.
Research from IT security firm Check Point found that 4,000 COVID-19 domains have been registered so far in 2020, many of which are thought to be fronts for cybercrime.
Criminals have even taken advantage of people’s fear of catching the virus within their local community by designing sophisticated fake apps which they market as a new way of tracking infected people in your neighborhood.
“They use this concept to persuade people to go off market and download these apps off non-legitimate websites,” said Paul Ducklin, principal research scientist at cybersecurity firm Sophos. “And then as soon as you give the app the permissions it asks for, it installs ransomware, locks your phone and demands money.”
But despite expert warnings, the number of people falling for such scams is only likely to increase while the pandemic rages on.
“The entire point of these criminal groups is to get their target to take some form of action, and if they can convince them to click on a link or enter credentials, then they’re successful,” said DeGrippo. “Some of the people who do this are very professional — they approach it as a full-time job — and they’ve found they can use the emotional hook of people being concerned about this disease to get them to take actions more easily than they would have done otherwise.”