Pandemic’s Surge Of Online Activity Creates Bonanza For Cybercriminals
The pandemic-era tactics of bad actors — and how public and private entities are responding.
Most people have heard the old adage, “Never let a good crisis go to waste,” often in reference to a political agenda. But with the onset of the Covid-19 pandemic, cybercriminals have taken the advice.
“This pandemic forced 10 years of digital transformation in three or four months,” said Jeremy A. Grant, the managing director of technology business strategy in the cybersecurity practice at Venable LLP, which he described as boutique cybersecurity advisory practice within Venable that works closely with attorneys. Grant also led the program office of National Strategy for Trusted Identities in Cyberspace, an initiative of the Obama Administration.
Grant said that when the pandemic hit, companies had to scramble to secure their networks. On the consumer side there was “direct fraud that came with the virtual elimination of in-person transactions,” he added. Everything from government services to the financial sector to retail shifted online. Criminals took advantage because a lot of the tools used to verify identity on the internet “aren’t as sophisticated as we want them to be.”
State unemployment systems were hit especially hard because most of them don’t have good online verification tools, Grant noted.
A March update from the U.S. Department of Labor indicates that “at least $89 billion of the estimated $896 billion in [unemployment benefits provided in response to the pandemic] could be paid improperly, with a significant portion attributable to fraud.” And this is only if the percentage of improper payments stays in line with recent trends. The real number is likely to be much higher.
“States have been hemorrhaging money,” Grant said.
To make matters worse, the states have been slow to wade through the mess of fraudulent claims, meaning legitimate applicants for unemployment benefits have had to wait and then wait some more. If people can’t clear the state’s identity system, Grant said, they’re stuck for months in “this Kafkaesque hell” where they can’t prove who they are and can’t pay their rent.
Identity Theft
Nor have cyber-grifters restricted themselves to unemployment benefits. Overall, losses due to identity theft rose from $502.5 billion in 2019 to $712.4 billion in 2020, an increase of 42 percent “primarily due to the COVID-19 pandemic,” according to a survey and report by Aite Group LLC, a research and consulting firm. The report also estimates that losses from identity theft will reach $721.3 billion in 2021 before leveling off to $621.3 billion in 2022.
The explosion in cybercrime does not surprise Joseph V. DeMarco, a partner at DeMarco Law, PLLC, who counsels clients on information privacy and security, computer intrusions, and online fraud, among other things. DeMarco is also a member of the faculty for the Practising Law Institute’s programs on cyber law.
Cybercriminals will use “the fact of the pandemic to trick people into doing things like clicking on a link or responding to emails” to get at their sensitive personal information, DeMarco said. He witnessed the same kinds of increases after the September 11 terrorist attacks and Hurricane Sandy.
“The reason some of these are so successful is that they play on people’s sympathy, their fear, their desire to do something in a tough situation,” DeMarco said. “Particularly in the early days of the pandemic when all everyone was thinking was, ‘Do I have enough canned beans in my cupboard?’”
Fraudulent messages from government agencies are a common ploy, DeMarco added, such as a fake warning from the Centers for Disease Control or the state health department. People see supposed information about the pandemic, anxiety overrides caution, and they click. Most recently, these ploys have been related to the Covid-19 vaccine.
Government loan programs have also been leveraged by criminals, who might trick people into submitting a fake application to capture personal financial details, or use fraudulently obtained information to apply for loans to which they’re not entitled, DeMarco continued.
Grant reported that phishing attacks have skyrocketed over the last few years. In addition to pandemic-related messages, the lure might be pornography, hair loss remedies, “anything they think people will click on,” he said.
For a long time inserting malware onto a person’s machine and phishing were neck and neck as the preferred methods of cybercriminals, Grant explained. “Then we hit an inflection point when phishing grew exponentially.” Malware requires a certain level of sophistication, he said. Phishing is easier. If a cybercriminal “sends thousands of emails and gets only a small percentage to click, it’s still a good result.”
Remote Work and Cyber-hygiene
And of course, the prevalence of working from home during the pandemic has created problems. “It is imperative for people to be working on secure computers,” DeMarco said. Organizations need to “make sure computer systems are up to date with antivirus software that is managed by the IT department.”
DeMarco also recommended having employees log in through a secure connection — a virtual private network, or VPN, as opposed to a website.
In a recent article on cyber-hygiene, quoted here by permission, DeMarco said employees need to avoid using personal email accounts. “Many major webmail providers have . . . suffered data breaches in recent years and these non-enterprise email accounts usually lack the robust protections that centrally-managed commercial accounts often have, such as multi-factor authentication or logs that would help a forensic investigator determine the cause and scope of a breach.”
Cloud-based backups for personal computers may also cause problems. “Files may even be synching from the employee’s personal computer to the cloud without their knowledge. Employees should be advised to search these accounts for any work-related data on the personal cloud accounts and permanently delete it,” according to the article.
If a company fails to direct its workers to follow these protocols, it could very well find itself in litigation. “It really does depend on how [a breach] happened,” DeMarco said. “If you fall victim to a scammer through no fault of your own then you might have recourse against the person who enabled the fraud.”
He offered the example of a client whose real-estate closing went awry. “Just prior to closing they got an email from someone telling them where to send the funds, but the attorneys’ system was hacked by bad guys.”
As a result, the funds were misdirected. In such a case, “the seller’s attorneys might have some liability to the purchaser for allowing their system to get hacked,” DeMarco said. It all depends on the facts, but a failure to instruct employees on good cyber-hygiene certainly would not help.
Improving Online Verification
Aside from simple precautions that employees can take at home, businesses and public entities are working furiously to improve online verification systems. The latest coronavirus stimulus relief package from the federal government included nearly $2 billion to improve cybersecurity. Grant noted that good commercial services exist to help governments and businesses solve this problem.
He also mentioned the FIDO Alliance, which describes itself on its website as “an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords.”
According to Grant, FIDO — Fast Identity Online — is an industry standard developed and supported by governments and more than 250 companies, including tech titans Microsoft, Apple, Google, and Facebook, as well as “anyone who makes a browser, any company that manufactures chips, plus a number of big banks, payment firms, and security vendors.”
The alliance has agreed on a “set of standards that are now embedded in almost any device you buy,” Grant said, that combines an on-device biometric match with public-key cryptography to enable password-free authentication that is both more secure and easier to use. Launched eight years ago, FIDO standards have achieved significant global acceptance.
“I’m a little on the optimistic side,” Grant said. “We can rally around new means of verification. There has been a dedicated industry effort to get to something better.”
For the latest on cybersecurity, visit PLI’s programs: Twenty-Second Annual Institute on Privacy and Cybersecurity Law and Cybersecurity Best Practices for Lawyers 2021. Click here for additional programs.
Elizabeth M. Bennett was a business reporter who moved into legal journalism when she covered the Delaware courts, a beat that inspired her to go to law school. After a few years as a practicing attorney in the Philadelphia region, she decamped to the Pacific Northwest and returned to freelance reporting and editing.