10 Covid security threats – and how to banish them

10 Covid security threats – and how to banish them

The threat landscape changed beyond recognition amid the pandemic – and the bad actors are not going away anytime soon. Here’s how to tackle danger swiftly and head on, writes Chris Allen

To say the world has been turned on its head in the last 18 months is no overstatement. What was commonplace pre-pandemic now seems bizarre – and what was alien until last year now seems normal. 

Covid19 has altered almost all the parameters of our lives – and cybersecurity underpins and protects many of these new behaviours.

Cybercriminals have become acutely attuned to every twist and turn of the pandemic, ruthlessly calculating how they can exploit the latest government announcement for their own ends.

The annual ‘State of The Phish’ study from Proofpoint reports an “explosion of pandemic-themed phishing scams” and a continued surge in ransomware attacks.

Here’s the top ten threats born or exacerbated during Covid19. And they’re likely to remain persistent for the foreseeable future:

1. NHS Test and Trace service: Criminals are sending phishes claiming the recipient has been in contact with someone diagnosed with Covid19. These missives point to fake websites used to steal information or infect devices.

2. Vaccine passports: Users receive texts purporting to be from the NHS asking them to register for a vaccine passport; they are then sent to a fake website to submit personal details. 

3. Hybrid working: New normal work environs have prompted a rush of “welcome back to the office” emails supposedly from the office manager or CIO, which include links to a bogus updated hybrid working plan, research from Malware Bytes shows.

4. Royal Mail Phishing scams: These scams are growing more sophisticated through the use of ‘bouncer codes’ that analyse the software the potential victim is running before deciding whether to grant access to the fake website.

5. Government impersonation: This year will see a jump in these types of scams as governments send out more frequent advisories to citizens and organisations.

6. Covid19 charity donations: The pandemic has provided scammers with a golden opportunity to defraud good-intentioned donors.

7. Digital fatigue: Increased levels of working from home and interminable hours of Zoom meetings have driven up digital fatigue levels. This special type of pandemic exhaustion supercharges phishing effectiveness as workers become less likely to check email veracity.

8. Ransomware: This is the fastest growing type of cybercrime with an attack happening somewhere on the planet every five seconds, say consultants PwC.

9. Criminals getting smarter: Bad actors are increasingly using VPNs to carry out attacks anonymously. In June this year the UK’s National Crime Agency assisted Dutch police in the dramatic takedown of DoubleVPN.

10. Fake friends: PwC reports a staggering increase in the sophistication of social engineering attackers, with fake LinkedIn profiles proving a popular vector.

How should these threats be managed?

As any good performance-based sports team will tell you, marginal gains are key.

Little things like increasing employee awareness of potential threat vectors through regular contact – both email and face-to-face sessions – can help. 

It’s also essential to adequately train your employees on what not to post on social media and to look out for the signs of suspicious emails. 

Ensuring whichever browser your company uses has an anti-phishing add-on is also useful.

Combatting digital fatigue is perhaps the most important security protection factor as this particular malaise facilitates all types of cyber criminality. Logic dictates that a zapped-out worker is much more likely to click on a malevolent link than an employee that is fully alert. With this in mind, companies would also do well to implement effective mental and digital wellbeing strategies.

Chris Allen is a lecturer, researcher and director at Criminis Training and Consultancy Services, specialising in organised and cyber crime.