According to the Action Fraud team, which covers activity in England, Wales and Northern Ireland, Covid-related fraud and cybercrime amassed a sum of £34.5 million in stolen money in the 12 months from 1 March last year. And the total is only forecast to rise at an equally alarming rate in the months ahead.

In a related development, the National Cyber Security Centre is tackling several attacks being launched each month against the country's pandemic response infrastructure. These involve attempts to breach the NHS, vaccine producers and vaccine supply chains, among other organisations.

Additional figures disclosed by City of London Police, which co-ordinates efforts to combat fraud, include:

• More than 150-related arrests were made since the pandemic began
• More than 2,000 websites, phone numbers and email addresses linked to the crimes were taken down
• A total of 416,000 reports of fraud
and cyber-crime.

The activity peaked between April and May 2020, and January 2021 - both times when lockdowns were in force.

The Dedicated Card and Payment Crime Unit, which tackles criminal gangs that are responsible for financial fraud and scams, worked with social media platforms to take down more than 700 accounts linked to fraudulent activity in 2020, of which over 250 were money mule recruiters.

But this may be the tip of the iceberg, it's admitted. In fact, the National Crime Agency estimates that just one in five fraud cases is typically reported to the police. Many of the scams involved conning people out of their money and financial details by focusing on internet shopping.

Adam Palmer, Tenable: criminals using coronavirus-themed malicious emails to spread a variety of malware.

Related fraud was 42% higher over the pandemic than the preceding year, as criminals took advantage of the fact many physical stores had been forced to close. The pandemic appears, however, to have coincided with a fall in one type of cybercrime, according to the BBC. "Reported cases of computer software service fraud - in which criminals call, offering fake tech support to fool victims into sharing their payment card details and other credentials - dropped by 15.5%," it said.

TARGETING THE VULNERABLE
Nick Emanuel, senior director of Product at Webroot + Carbonite, comments: "This insight comes as no surprise as, following the start of the vaccine rollout last year, our Real-Time Anti-Phishing protection system found a rise in malicious URLs and terms to target vulnerable people, using subjects like the vaccine and COVID-19. In fact, we saw a 336% increase in use of the word 'vaccine' found within suspicious domain names between the 8 December and 6 January, when compared with the month of March 2020.

Nick Emanuel, Webroot + Carbonite: for businesses, better security systems and training are key for protection, along with backing up data.
"Scams using keywords based on emotive subjects concerning medical safety and the pandemic are always going to be more effective, especially when they're in the public interest. Additionally, remote work has forced many employees to use personal devices for business-related activities, which presents unique security concerns," he adds.

"With a higher prevalence of malware and generally fewer security defences in place, it's easier for malware to slip into the corporate network via an employee's personal device. For businesses, better security systems and training are key for protection, along with backing up data."

For individuals, defending against these kinds of attacks should involve security awareness training and remaining vigilant in scrutinising the types of emails they receive, Emanuel advises. "This should also be underpinned by cybersecurity technology such as email filtering, anti-virus protection, and strong password policies."

BEEFING UP THE UK'S IMAGE
Meanwhile, the NCSC has witnessed a significant increase in the number of attacks since February, it reveals. In her first speech as chief executive of the new NCSC, Lindy Cameron has been paying tribute to what is seen as the 'bold decision' to create a public-facing cyber security organisation within GCHQ. The virtual speech to an audience at Queen's University, Belfast, saw her outline why the UK has a role to play in making it the safest place to live and do business online.

"The cyber security landscape we see now in the UK reflects huge progress and relative strength - but it is not a position we can be complacent about. Cyber security is still not taken as seriously as it should be and simply is not embedded in UK boardrooms," she said. "The pace of change is no excuse - in boardrooms, digital literacy is as non-negotiable as financial or legal literacy. Our CEOs should be as close to their CISO as their finance director and general counsel."

Cybercriminals will often use current events to try to lure victims and the pandemic has offered the perfect bait, states Adam Palmer, chief cybersecurity strategist at Tenable. "Criminals will capitalise on the interest in world events," he comments, "such as using coronavirus-themed malicious emails as a cover to spread a variety of malware, from the Emotet, AZORult and Trickbot trojans, to the Nanocore and Remcos Remote Access trojans. In January 2021, scammers were impersonating the UK's National Health Service via email and text messages, claiming that victims were eligible for their COVID-19 vaccine. The webpage used the same template as the real NHS website and asked users to complete an application, requesting personally identifiable information [PII], as well as banking or credit card information."

The tactic of using current affairs to make scams more successful isn't new, he points out. "We've seen similar types of scams associated with natural disasters and other global events in the past.

"Cyber criminals are inventive and persistent - they will try to elicit information needed to further their crimes in all manner of ways and explore all communication channels, via email [phishing], telephone calls [vishing] or increasingly popular via SMS [SMShing], in the hopes that a small number of victims will respond," he adds.

Palmer concedes that these targeted messages can be tricky for even an alert individual to spot. "The best form of action is to view every communication, no matter how convincing, as suspicious. Rather than interact with links within an electronic message, navigate to the website yourself and search for information to verify fact from fiction. If it's a caller, ask for their name and say you'll get back in touch once you've confirmed the request. When in doubt, report your suspicions to the authorities."

COVID-19 SPIKES
Drawing on data from the Mimecast threat intelligence team, its report, 'The Year of Social Distancing', details how threat actors targeted remote workers during the first year of the pandemic, from March 2020 to February 2021. The report describes how attack volumes surged by 48% during that time, with sudden increases in volume corresponding to spikes in COVID-19 infection rates in April and October 2020.

"Threat actors took advantage of the pandemic to launch a torrent of COVID-19 themed social engineering attacks," states Josh Douglas, vice president, product management at Mimecast, "understanding that people were under stress, working in the home environment, and thus more likely to be deceived and make mistakes."

The second part of that strategy was to 'flood the zone' in security operations centres. "They knew analysts would also be stressed and stretched thin, so overwhelming them with a high volume of threats would increase the likelihood of their attacks slipping through defences."

The report also examines the cyber habits of at-home workers, which revealed some alarming facts, including:

• A 3x rise in unsafe clicks in March 2020, right when the work-from-home trend began
• US workers were nearly twice as likely to open suspicious emails as were workers in the UK and Germany
• A 60% increase in the use of company-issued computers for personal business.

Even though vaccine rollouts are well underway and more organisations may soon start making plans for people to return to offices in the months ahead, the Mimecast threat intelligence team has assessed the likelihood of threat actors continuing to exploit the unsettled work situation as very likely ( 95%). These exploitation efforts will likely focus both on remote workers and those returning to the office - which creates the possibility of a new 'unsettled' situation that opens the door for the possibility of new waves of social engineering campaigns.

"We're now seeing sophisticated digital-deception campaigns where threat actors combine COVID-19-related social engineering with multi-channel campaigns - including email, social media and even phone - to gain credibility with their targets, so they can then be tricked into giving away valuable information or credentials," says Douglas.

"We expect this challenging threat environment to continue for the foreseeable future as employees transition to the new normal which in many cases will be a hybrid in-office/at-home work mix. It has never been more important for enterprises to take steps to counter these digital-deception campaigns by hardening employees as targets through ongoing cybersecurity training programs, and to secure the infrastructure of the new 'virtual workplace' particularly email and collaboration tools."

According to the report, the attacks targeted highly vulnerable sectors, such as:

Attacks on the healthcare sector
"Another way threat actors took advantage of the COVID-19 crisis was to launch attacks on overstretched healthcare systems." Threat actors sought to exploit increased human error associated with the stressful conditions to steal data and infect systems with ransomware-based attacks, in the belief that organisations operating under urgent conditions are more likely to pay ransoms - in this case, hospitals urgently trying to protect the health of their patients.

The summer of ransomware
Mimecast reported the return of Emotet to the threat landscape in July 2020, after a five-month hiatus. This malware dropper is often used to deploy the Trickbot trojan as a second-stage infection, which can then be used to infect machines with ransomware. Mimecast detected increasing volumes throughout the summer (although not all can be attributed to Emotet).

UNABATED EXPLOITATION
As to the likelihood of threat actors continuing to exploit the unsettled work situation, Mimecast has assessed this as almost certain (95%). These efforts will focus both on remote workers and those returning to the office, which creates a whole new range of social engineering opportunities.

OPPORTUNISTIC ATTACKS
"Threat actors always exploit turmoil - whether that turmoil is brought on by unexpected natural disasters, annual events such as tax season, or a once-in-a-century pandemic," says the company.

"So, if we know this, why do they continue to be successful?" it queries. "The answer lies in the compartmentalised way in which companies think about security.

"Just like a magician uses multiple tools (misdirection, lights, special props etc) to deceive the audience into thinking that one thing is happening, only to have another thing happen, threat actors do the same thing, using multiple orchestrated tactics and tools to deceive people into drawing the wrong conclusions, so they are free to execute their attacks."

VISIBILITY ESSENTIAL
And, just like magicians would be ineffective, if the audience had complete visibility into their activities, the best way to defeat threat actor cyber deception is to gain greater visibility into their campaigns, suggests Mimecast. "Defence-in-depth remains an important foundation of security strategy; however, it has also contributed to the infrastructure bloat issue that plagues many companies - too many security tools, too few people to manage them all.

"Lessons learned from The Year of Social Distancing: Cyber deception is the problem. Part of the solution to this problem is integration: by integrating best-of-breed cyber security tools, organisations can gain much greater and more precise visibility into cyber deception campaigns to stop them earlier in their development."