“Phishing emails work better in a pandemic”: how Covid-19 led to a surge in cybercrime

Attackers are using people's fears to prey on businesses and individuals.

Sign Up

Get the New Statesman's Morning Call email.

On Sunday 15 March, staff working at the US Health and Human Services Department (HHS) observed an unusual spike in traffic to their servers. US officials believe the attack, which hit HHS's systems millions of times, had been designed to frustrate the health agency's response to the coronavirus outbreak.

One official, who spoke to Bloomberg anonymously, revealed that while the source of the attack is yet to be determined, a foreign state actor may have been responsible. Speaking to the New Statesman, Alan Woodward, a professor of cyber security at Surrey University, warned that if a nation was found to have carried out an attack on another state's infrastructure during the outbreak, they would "reap the whirlwind afterwards".

Such an attack on a country's health system would likely be seen as "tantamount to a declaration of war", Woodward explains. "In a time of national crisis, if someone’s attacking key critical services, that’s way out of the realm of a little bit of virtual warfare. That’s actually affecting real people in a tangible way, potentially causing deaths." Only states that do not care for their own populations, which may suffer the consequences of retaliation, would be "stupid enough" to carry out such an attack during an international crisis, Woodward says.

While there is still some uncertainty over who launched the attack on the HHS, what's clear is that the global cyber-crime industry, which is estimated to generate more than £1tn a year, is seeking to profit from a crisis that has left citizens, businesses and public sector organisations acutely vulnerable. Widespread disruption to industry, twinned with heightened levels of anxiety, plays into hackers’ hands, and business leaders are now reporting a surge in the number of attacks.

Healthcare organisations may be particularly exposed. On 12 and 13 March Brno University Hospital, one of the Czech Republic's primary Covid-19 testing centres, suffered a suspected ransomware attack that, according to reports, forced staff to relocate some patients. Providers of essential services have become a prime target for hackers in recent years. Hackers see them as attractive for one key reason: they face enormous pressure from both taxpayers, and their insurers, to pay up and resume normal operations. In the midst of the Covid-19 outbreak, hospitals may be even more willing to do so. "I've got a sinking feeling that they could become targets," says Woodward.

In light of the WannaCry ransomware campaign in 2017, the NHS has made a major investment in hospitals' cyber defences, and it's hoped that the health service would be better protected in the event of another attack.

But while healthcare organisations internationally might be at particular risk, citizens and businesses are being advised to be vigilant to scam emails attempting to exploit people's concerns about the virus. The World Health Organisation is one of the many organisations scammers are seeking to impersonate. "The spread of fear is just as contagious as COVID-19," says Jake Moore, a former police officer who specialised in cyber crime and now works for the security firm ESET. "Phishing emails work better in a pandemic."

Earlier this week, the UK's National Cyber Security Centre issued a warning about such scams. "Techniques seen since the start of the year include bogus emails with links claiming to have important updates, which once clicked on lead to devices being infected," the NCSC revealed in a statement. "These ‘phishing’ attempts have been seen in several countries and can lead to loss of money and sensitive data." One allegedly state-sponsored actor is using coronavirus-themed documents to deploy malicious software on to targets' systems.

The NCSC, a division of GCHQ, has taken steps over the last week to remove sites which use the viral outbreak as a way of luring victims into clicking on links that deliver malware or harvest information. “Our advice to the public is to follow our guidance, which includes everything from password advice to spotting suspect emails," said NCSC's director of operations Paul Chichester. “In the event that someone does fall victim to a phishing attempt, they should look to report this to Action Fraud as soon as possible.”

The NCSC lists a number of tips for spotting phishing emails on its website. The agency advises businesses and individuals to watch for poor grammar, punctuation and spelling, oddities in design, and the use of "valued customer", or "friend" rather than a name as the hallmarks of phishing emails.

Threats - emails that ask the recipient to act urgently, "send details within 24 hours" or "click here immediately" are major red flags, as are offers of money or access to private information.

Woodward reiterates NCSC's advice. "I’m afraid it’s business as normal," he says. "Assume nothing, believe no-one, and check everything."

Oscar Williams is editor of the New Statesman's sister site NSTech.

Free trial CSS