The City of London Police and National Cyber Security Centre have reported a rise in threats and crime related to Covid-19 over the past year
The UK’s police forces have recorded more than 6,000 cases of Covid-related fraud and cybercrime since 1st March 2020, with the UK’s pandemic response infrastructure being a regular target.
Data released by the Action Fraud team and the National Fraud Intelligence Bureau has said £34.5m had been stolen after receiving 6,073 reports of coronavirus related fraud and cybercrime.
Pandemic Peaks
Since the start of the pandemic, national fraud units have arrested over 150 criminals believed to have been committing fraud while national restrictions were in place. In addition, more than 2,000 websites, phone number and email addresses linked to fraud were taken down.
Examples seen by the DCPCU during the coronavirus outbreak include messages purporting to be from the government, offering people financial support including one off payments and loans, and messages impersonating the NHS offering people the coronavirus vaccine. The unit has already seen 30 criminals convicted since March 2020 and has taken down 773 social media accounts used to commit fraud.
Jamie Akhtar, CEO and Co-Founder of CyberSmart notes: “Cybercriminals thrive in situations of chaos, preying on our emotions to pull off phishing attacks, and our distraction to infiltrate the systems and networks we use inside and outside of the work environment. It comes as no surprise then that we have seen a spike in Covid-19 related scams and a significant sum lost to these bad actors.”
In total, the City of London Police received more than 416,000 reports of fraud and cyber-crime with reports of online shopping fraud being at an all-time high since records began. The force revealed there has been an increase in online shopping fraud (42%) and romance fraud (20%) committed in the past 11 months, and a decrease (15.5%) in computer software service fraud. This, it said, shows the effect the pandemic has had on the type of fraud criminals committed.
Targeting the NHS
In addition, the UK’s National Cyber Security Centre (NCSC) also tracked a massive uptick in threats and crime related to the pandemic, alarmingly in some cases directed specifically at health organisations.
Chris Hauk, Consumer Privacy Champion at Pixel Privacy says: “Crooks will continue to target victims for access to their banking and credit card information, as well as targeting the NHS, vaccine makers, charities, and other COVID-19 related agencies and firms.”
Hauk suggests, “Users need to be aware of banking, romance scams, and fake tech support scams that are spreading like wildfire. Tech support will never call a user out of the blue, nor will banks and credit card companies ask you for your information over the phone. Do not click links in unsolicited emails and text messages, and never open attachments.”
Additionally, the force revealed it was faced with the new threat of coronavirus-related fraud and cyber-crime. The data showed that the peaks of these reports occurred in April and May 2020, with another spike in January 2021, following a coronavirus vaccine phishing campaign.
“Phishers usually target people who are on some kind of government assistance program so unfortunately these scams often end up hurting those most in need,” says Chad Anderson, Senior Security Researcher at DomainTools. “The first targeted malware we were seeing leveraging COVID-19 fears targeted people on a government assistance program in Japan, claiming that their benefits would be cut if they did not open a malicious document. Attackers always go after those that fear losing something enough that they are willing to risk clicking.”
The Dedicated Card and Payment Crime Unit (DCPCU), another specialist fraud unit with a national remit, has also made a number of significant arrests related to coronavirus crime. The unit, comprised of officers from the City of London and Metropolitan Police and funded by the banking industry, has executed 99 warrants since the start of the pandemic and made 56 arrests, 27% of which were of criminals committing coronavirus-related “smishing”, phishing attempts delivered by SMS text message rather than via email.
Examples seen by the DCPCU during the coronavirus outbreak include messages purporting to be from the government, offering people financial support including one off payments and loans, and messages impersonating the NHS offering people the coronavirus vaccine. The unit has already seen 30 criminals convicted since March 2020 and has taken down 773 social media accounts used to commit fraud.
Anderson adds: “Unfortunately, we are unlikely to see a decrease in cybercriminals’ efforts to capitalise on this crisis. This shift can best be seen with the change in interest from domains registered using the term “covid” early in the pandemic to domains using the term “vaccine” much later after vaccine research had been announced. As scams continue to evolve, we advise users to be extra vigilant when signing up for medical services online as many phishing, both over text message and email, are already appearing leveraging Covid-19 vaccinations as a lure.”
Avoiding further risk
The NCSC is reportedly tackling about 30 “significant attacks” a month against the country’s pandemic response infrastructure, including attempts to breach organisations such as the NHS, vaccine producers and vaccine supply chains. NCSC operations director Paul Chichester disclosed that there had been a number of successful ransomware incidents against businesses – “roughly around 10”.
“As we continue to avoid further cyberattacks as well as ransomware incidents, organisations need to be pro-active to their employees to bring attention to such scams and websites where information can be leaked,” says Dean Ferrando, Systems Engineering Manager (EMEA) at Tripwire. “An effective way to bring attention to these scams is to test employees’ responses by sending controlled test phishing emails and see if they report it or open it. If the latter, appropriate communications, and awareness can be shared. Practical exercises have a far better success rate than email communications and alerts.”
The City of London Police commissioner, Ian Dyson said in a statement: “Policing has had to adapt quickly to what is an ever-changing public health situation, but nothing has stopped us from pursuing these individuals and disrupting their activity.”
He added: “We are committed to protecting the public from fraud and have worked closely with all our partners in law enforcement and the private sector to make arrests, gather evidence, and ultimately bring criminals before the courts.”
