Last week on Deep Dive, we looked at how local leaders in Brazil were able to affect public health outcomes during the COVID-19 pandemic, even in the face of resistance from the national government. This week, we’ll examine new research on the other side of the ledger — people who looked at the pandemic and asked, “How can I exploit this?” We’re going to delve into cybercrime in the age of COVID-19.
Related: Checking in on the pandemic: Part I
Cybercrime, despite its technical reputation, is primarily a social phenomenon. When you click the phishing link in your email, for example, it’s not because some hacker arranged zeroes and ones in precisely the right order. Instead, it’s because you really did want to help that poor minor European noble recover their lost fortune — it plays on your conscience. When something — say, a pandemic — causes worldwide social upheaval, therefore, we can expect it to change the world of cybercrime.
In a new article in the journal Computers & Security, researchers Harjinder Singh Lallie, Lynsey Shepherd, Jason Nurse, Arnau Erola, Gregory Epiphaniou, Carsten Maple, and Xavier Bellekens attempt to track that change. Their work is informed by past instances of real world events causing spikes in cybercrime. Some of those spikes play on people’s sympathies during a disaster. After Hurricane Katrina (and basically every major natural disaster since), for instance, fraudulent websites appeared soliciting donations for hurricane victims. Others have exploited people’s curiosity in a confusing situation, such as the wave of spam emails that circulated after Michael Jackson’s death promising to reveal the truth in exchange for cash. COVID-19 offers the most widespread combination of disaster and confusion humans have seen in a lifetime, so Lallie et al. figured that there would be a substantial cybercrime response. Indeed, early numbers bear this out — according to one report, phishing attacks jumped 600% in March 2020.
Lallie et al. wanted to know more specifics about the relationship between the pandemic and cybercrime, so they built a timeline of major events in the cybercrime world and the COVID-19 spread and response. They found that many cybercrimes closely tracked the evolution of the pandemic, responding to changes in infection rates and public health policies quite quickly. What’s more, cybercriminals got quicker at responding to those changes as the pandemic went on. In the UK, for instance, in early March 2020 hospitals announced they were running out of personal protective equipment. It took over a month for scammers to send emails with fake offers of personal protective equipment, capturing credit card information from people desperate for functional masks. By late April of that year, however, scammers took just two days to respond to the UK government’s job retention scheme with a phishing email urging people to sign up for a fake version of the scheme.
The pandemic also changed how people take in online threats. Many people who work on computers in their day jobs do so (or, rather, did so) at companies with on-site tech support and anti-virus protections. When the pandemic turned those employees into work-from-homers conducting Zoom meetings on their personal computers, the protection offered by in-office tech support largely vanished. People needed the internet more for work, but were also left more exposed on the internet than ever before. This vulnerability, the researchers believe, may be contributing to the increase in pandemic-era cybercrime.
At the same time, the pandemic forced governments to gather large datasets for use in public health campaigns. The tendency toward data sharing is important for managing public health response, but, Lallie et al. warn, it also creates inviting targets for cybercriminals. Those databases could be very valuable if hacked, both to cybercriminals themselves and to a range of state and private buyers. The pandemic is creating more opportunities for people to have their private information exposed without their consent.
Most of all, though, the pandemic has created an environment of uncertainty and fear in which crimes relying on information asymmetries can thrive. One extortion email Lallie et al. tracked threatens recipients by saying, “If I do not get the payment, I will infect every member of your family with coronavirus.” Today, that threat seems laughable — how would some mass emailer give your family COVID? In March 2020, however, when the email was going around and there was widespread confusion about how the virus spread, the not knowing made more than a few people cough up some Bitcoin just to be safe.