COVID-19 cyber crime is on the rise

The COVID-19 lockdown is an emotionally vulnerable period for everyone. The kinds of negative emotions brought about by the uncertainty and difficulties we are facing during this unprecedented change include fear, anxiety, stress, anger, frustration, sadness and grief.

While physical distancing is the best mitigation response we have for now to prevent further infection and curb the spread of the disease, physical distancing does not have to mean social distancing. We can still maintain and develop deep emotional and social ties using social technologies. In fact, many of us are getting our reassurances and comfort from social media, video communications and e-mail contact.

Unfortunately, unlike the coronavirus that functions blindly, social predators (or perhaps more precisely emotional predators) lurking online are intentionally taking advantage of our fragile emotional state. These cyber criminals are callously exploiting our reliance on technologies for socially connecting by taking advantage of the widespread discussion of COVID-19 in e-mails and across the Web.

Cyber criminals use socio-psychological techniques in persuasion to manipulate their victims. Our initial research at the University of Pretoria's School of IT, Department of Informatics, that analyses the content of the COVID-19 scams, suggests key principles, such as reciprocity, social proof, liking, similarity, authority, distraction, scarcity, commitment, compliance and consistency, are being used in different combinations.

A televangelist solicited donations claiming to have “healed” viewers of the coronavirus through their television screens.

For example, with regard to COVID-19, we feel the obligation to help or contribute to organisations at the frontline of the epidemic. Cyber criminals use a combination of the reciprocity, liking and compliance principles by impersonating credible or reputable institutions such as the World Health Organisation (WHO) and the US Centres for Disease Control and Prevention to lure their victims, by asking for donations.

Cyber criminals also prey on our use of cognitive heuristics to evaluate the credibility of a message. When we are emotionally vulnerable and inundated with huge quantities of information every day, we tend to rely more on quick information-processing techniques to make decisions instead of thinking through our decision in an elaborate and rational manner. For example, victims are also more likely to believe a source name they recognise (such as the WHO) to be credible, with little analysis of the content or the source’s credentials.

Cyber criminals are also counting on their victims to use heuristic processes to guide their evaluation about the sources of information. This can result in end-users becoming victims of disinformation, malware, ransomware and spyware. Fraudsters are then able to infect the victim’s device with malware, steal their password and personal information, block access to their device unless a ransom is paid, scam them out of their money, and even conduct international espionage.

Researchers, cyber security firms and government agencies have observed the use of the following social engineering lures around COVID-19, urging users to click on links or to download files or attached documents:

• Impersonating the WHO, promising information on safety measures to avoid infection.
• Impersonating financial institutions such as the International Monetary Fund that as a result of the pandemic is offering financial relief to businesses.
• Impersonating officials and scientists, and warning of new infection cases in the victim’s area and providing “safety measures”.
• Impersonating doctors and other specialists, enticing users to click on a link to find the latest information on symptoms and treatments.
• Impersonating employers and requesting employees working remotely to read the organisation’s “remote operation policy”.
• Impersonating employers requesting employees to read latest COVID-19 policy update: With the subject line “All Staffs: Mandatory Corona Update”, or “Important company policies regarding COVID-19 virus”.
• Impersonating employers requesting employees to link to a Web site to help you understand how the COVID-19 is affecting the firm.
• Impersonating the brands of organisations users expect to hear from; for example, from the healthcare insurance industry.
• Targeting the healthcare providers by trying to capitalise on the pressure these organisations are facing as a result of an influx of coronavirus cases.
• Impersonating cleaning or heating companies offering duct cleaning services or air filters to protect the household members from COVID-19.
• Impersonating companies selling household decontamination services.
• Impersonating private companies offering fast COVID-19 tests for sale (yet only healthcare providers can perform these tests).
• Posing as official communications from university personnel sent to students offering bogus updates about closures.
• Offering DIY “at home” coronavirus tests and using fake sites to capture credit card information.
• Impersonating the WHO, offering fake lists for sale of COVID-19 infected people in your neighbourhood.
• Impersonating the Public Health Agency, giving false results about being tested positive for COVID-19 and tricking people into confirming your health card and credit card numbers for a prescription.
• Impersonating government departments sending out coronavirus-themed phishing e-mails.
• Running malicious Web sites with domains that reference COVID or COVID-19.
• Running spam campaigns designed to spread fake news, promising coronavirus prevention and cure instructions, offering questionable herbal remedies, fraudulent products, products that could eliminate the virus in elder customers' immune systems, online offers for vaccinations, faster testing and driving users to dubious online drug stores. These sometimes use news alerts that are linked to fake news sites. They can include toothpaste, dietary supplements, ointments and creams that could be used to treat the coronavirus.
• Selling unapproved drugs that could threaten public health and violate the law.
• Using fake and deceptive online ads claiming to have scarce products, such as cleaning products and hand sanitisers.
• Making bulk offers that may contain items that are expired and/or dangerous to one’s health.
• Impersonating the Red Cross and other known charities and offering free medical products (eg, masks) for a donation.
• Unauthorised or fraudulent charities requesting money for victims, products or research. Requesting donations, through charities or crowdfunding sites. For example, a televangelist solicited donations claiming to have “healed” viewers of the coronavirus through their television screens.
• Promoting products or services of listed companies that can prevent, detect, or cure coronavirus and claiming dramatic increases in the share value of these companies.
• Impersonating financial advisors pressuring people to invest in ‘hot’ new stocks related to the disease.
• Screen-lock attacks on Android devices that mimic legitimate sites that provide access to real-time visuals and statistics on the pandemic and then denies the victim access to their phone, charging them about $100 in Bitcoin to unlock the infected devices.
• Spreading malware to Android phones to share statistics about the coronavirus but instead watches users through their smartphone camera, listens using its microphone, or parses text messages.
• Promising free iPhones due to the coronavirus and asking users to click a link.
• Impersonating financial advisors offering financial aid and/or loans to help people and organisations get through the lockdown. For example, using text messages to promote payday loans of $5 000.

It is not unusual for cyber criminals to align their scams to major news events to lure their victims. Given the prodigious media coverage of COVID-19 and the current salience of the topic, it makes sense that we should prepare for a spate of coronavirus-related cyber attacks.

And since these attacks exploit the kind of information that we expect and value, and given our emotional vulnerability, there is a possibility that victim compliance will be higher than normal. Technology-based countermeasures and user education can help us to combat cyber crime.

For starters, cyber security or IT departments should install anti-malware and anti-phishing solutions to prevent many of these malicious e-mails and payloads from reaching intended recipients. Users working remotely should make sure their home computer and other devices are protected by installing anti-spam, anti-spyware and anti-virus software and by keeping their operating system up to date.

Cyber security or IT departments should also monitor and filter coronavirus e-mail phishing scams. Mimecast identified these as e-mail subject lines for coronavirus e-mail phishing scams: “CORONA Virus Update on our Premises ID”; “Coronavirus Sensitive Matter”; “COVID-19 update”; “COVID info #”; “Covid_19 medical support”; “COVID_19 Designated Free Testing Centres in your Locality”; “COVID-19 alert id”.

Additionally, they should monitor and filter phishing e-mails that mimic credible institutions, such as the WHO. For example, WHO does not send e-mail from addresses ending in ‘@who.com’ ,‘@who.org’ or ‘@who-safety.org’.

Cyber security professionals should remind users that defending oneself against phishing attacks is simple: DO NOT CLICK! Organisations should send users COVID-19 information from a single, consistent and legitimate source of communication.

Organisations should perhaps use a single intranet page to communicate coronavirus-related company news to employees. Perhaps inform users not to click on any links in supposed company e-mails. If lured by an offer or piece of information, confirm the credibility of the source via another channel. For example, search on the Internet or make a phone call. Cyber security professionals should also advise their users to set a password to lock their device screens to protect against screen-lockout attacks.

Companies should make their employees more aware of the latest COVID-19 scams. Remind users to scrutinise e-mail messages from organisations that they do not regularly receive messages from. For example, the WHO is unlikely to send e-mails to anyone who is not on its mailing list.

Brand impersonation is common in coronavirus-related e-mail attacks, so also caution users about opening e-mails from organisations they expect to hear from.

A common tactic for coronavirus-related scams is to ask for donations to help those affected by the pandemic. Do not be pressured into making a donation. Verify that a charity is registered, or rather support a credible charity one is familiar with and donate directly. Legitimate charities are unlikely to take donations through Bitcoin wallets, so seeing a Bitcoin request in an e-mail could be a sign of danger.