Plenty more phish in the sea
During the pandemic a digital crimewave has flooded the internet
The rush to remote working has outpaced cyber-security
WHERE REAL markets go, shadow markets often follow. In crime—as in legitimate economic activity—the pandemic has fostered an online boom. The Internet Crime Complaint Centre at America’s Federal Bureau of Investigation (FBI) reports that by June, daily digital crime had risen by 75% since the start of stay-at-home restrictions, and that the number of complaints received in 2020 had all but surpassed the total for 2019. In a new report, Interpol, an international policing body, corroborates these findings, tracking the same trend across member countries. “Cyber-criminals are developing and boosting their attacks at an alarming pace,” according to Jürgen Stock, its secretary-general, “exploiting the fear and uncertainty caused by the unstable social and economic situation created by covid-19.”
This surge has been driven by a dramatic shift online of many forms of economic activity because of the constraints of stay-at-home restrictions and social distancing. According to an index compiled by Adobe Analytics, a consultancy, online spending by American consumers was 76% higher in June than in the same month in 2019, and 55% up in July. Retail fraud has climbed similarly. By June 30th, the US Federal Trade Commission had received almost 140,000 reports since the start of the year, already nearly as many as in all the whole of 2019. And it had had more than 570,000 reports of identity theft—also almost as many as in all of last year—as criminals took advantage of the unfolding economic downturn and people’s general anxiety about the pandemic to exploit them for their personal information, credit-card numbers and banking details.
Criminals’ main method of attack on individuals has been covid-19-related email phishing—impersonating legitimate companies, often banks or credit-card companies, to dupe people into handing over log-ins, passwords or financial information. In recent months emails purporting to be from government and health-care authorities have proliferated, claiming to provide information and offer recommendations about the pandemic.
Often related to phishing attacks, the mushrooming of fraudulent websites and malicious domains has become a widespread problem in its own right. In June, Interpol’s Global Malicious Domain Taskforce identified and analysed more than 200,000 newly registered such sites. These affect more than 80 countries, and like phishing emails, are often designed to mimic official public websites, government portals, banks, and tax and customs authorities. They use the familiarity of trusted organisations to steal people’s personal information or to take payment for non-existent goods, services or government schemes.
Interpol’s cyber-crime division, however, reports that, as the pandemic has worn on, criminal networks have increasingly shifted their targets away from individuals and small businesses to big companies, governments and critical infrastructure. A particularly disruptive tool has been ransomware—hacking data and demanding money for their safe return—deployed against the infrastructure of corporations, government agencies, hospitals and medical centres already overwhelmed with the current health crisis.
When deployed strategically to maximise disruption, institutions are often coerced into paying large ransoms. For example, last month Garmin, a smartwatch-maker, was coerced into paying a ransom rumoured to be in the millions of dollars. This was followed up last week by Canon, a camera-maker. About ten terabytes of hacked private data from Canon are being held ransom by a criminal collective known as Maze. Canon reportedly has so far refused to negotiate.
The sharp rise in digital crime during the pandemic merely accelerates an existing trend. According to the FBI, losses from cyber-crime in America tripled between 2015 and 2019, and Accenture, a consulting firm, estimates that, based on pre-pandemic trends, the global economy would have faced at least $5.2trn in losses due to direct and indirect cyber-attacks over the next five years.
This is a symptom of a world becoming digital faster than individuals and institutions can secure themselves against exploitation. Accenture estimates—again on pre-pandemic trends—that nearly four-fifths of organisations are introducing digitally fuelled innovation “faster than their ability to secure it against cyber-attackers”. This is corroborated by Interpol, which says that cyber-criminals have exploited the abrupt global shift to teleworking.
The poster-child for this rapid technological shift and its perils has been Zoom, a provider of video-conferencing software. Its use has grown explosively during the pandemic. In December 2019, the company’s own record for the number of daily active users had peaked at around 10m, but by April Zoom was recording days with over 300m active users. Zoom, however, has been plagued by security scandals. Most recently Tom Anthony, a web-security expert, reported that he had discovered a vulnerability in the Zoom web client that would allow a malicious actor to crack the passcode for a private meeting by attempting all 1m possible combinations of a six-digit default passcode in a matter of minutes. The chances that this relatively simple vulnerability was not already known to criminals are slim, meaning any private meeting over the last eight months has been vulnerable to eavesdropping, including sensitive internal company discussions and even government cabinet meetings.
For firms and governments, combating this digital crimewave is primarily a matter of investment. Accenture estimates that an average company with revenues in 2018 of more than $20bn could expect to lose 2.8% of revenue through its cyber-security vulnerabilities, so spending more on security clearly makes sense. Accenture highlights the importance of training staff in internet hygiene to limit the success of phishing attacks. For governments, Interpol makes the case for further international co-ordination, and an enhanced exchange of information between the agencies trying to fight cyber-crime.
It may, however, be time to consider the prospect that the expansion in the global digital shadow economy is here to stay. A recent survey of 127 business leaders by Gartner, a research and advisory firm, reported that 47% of respondents intend to allow employees to work remotely full-time even as it becomes possible to return to the workplace; 82% intend to permit remote working at least some of the time. The rapid growth of the digital economy to include a much larger share of day-to-day shopping and business is also likely to be a permanent shift. These structural changes entail vulnerabilities that have no simple fixes and will require great investments in time and resources. There may yet be much bigger phishes to fry.