Times of pandemic are ripe for fraudsters to prey on people’s vulnerabilities and anxieties. During the 1918-19 Spanish influenza pandemic, an anxious population turned to ‘snake oil salesmen’ and other quack medicines and hoaxes.
The outbreak of the COVID-19 global pandemic a century later in 2020 has been no different in providing a context for human anxiety and weaknesses to be exploited. But the key difference this time around is the use of technology as a platform for harm, particularly when a population in isolation is relying on technology even more than usual for remote working and schooling, social contact, online shopping, other services and entertainment. The significant economic downturn caused by COVID-19 has also made people more financially vulnerable.
All this has led to reports of a spike in online exploitation of the Australian public, ranging from cyber scams, phishing emails, cyber bullying, online image based abuse and even, in a throwback to the snake oil salesmen of a century ago, fake vaccines being sold on the dark web. These pose a risk, not only to individuals, but also to businesses when phishing become a means of accessing corporate systems and data (such as via business email compromises).
This article looks at the nature of COVID-19 related cyber exploitation recently experienced in Australia and the response of relevant regulators and government agencies.
The statistics and case studies paint a picture
The statistics, as at the second half of April, paint a picture of the increase in online exploitation:
- Over 1,100 reports of cyber scams to the Australian Competition and Consumer Commission’s (ACCC’s) ‘Scamwatch’ initiative;
- Over 115 COVID-19 cybercrime and cyber security incident reports to the Australian Cyber Security Centre (ACSC);
- Over 20 cyber security incidents affecting COVID-19 response services and/or major suppliers responded to by the ACSC;
- Over 150 malicious COVID-19 themed websites disrupted by the ACSC;
- 645 listings of COVID-19 related products identified from a survey of dark web markets by the Australian Institute of Criminology;
- A 40% increase in cyber bullying reports to the eSafety Commissioner; and
- An 86% increase in image based abuse reports to the eSafety Commissioner.
Examples of COVID-19 related scam case studies outlined by the ACSC and by Scamwatch include the following:
- International health organisation: threat actors are sending a COVID-19 themed phishing email where the sender is pretending to be a well-known international health organisation. The email invites recipients to click on the link to access information about new cases of the COVID-19 virus in their local area;
- Postal service phishing email: under the guise of providing travel advice regarding countries with confirmed cases of COVID-19, the email impersonating Australia Post prompts the recipient to visit a website that will harvest their personal information;
- COVID-19 testing: An SMS phishing campaign where the message was designed to appear as though it came from ‘Gov’ or ‘MyGov’ and requesting that recipients click on a link that spoofed an official government domain, which hosted malware;
- Economic stimulus payment: A phishing email was sent to employees of a large Australian company inviting them to click on a link to receive a $1,000 benefit payment, with the link re-directing users to a website designed to install malware onto the company’s corporate network; and
- Fake bank phishing text: An SMS phishing campaign where the threat actor was impersonating well known banks and asking customers, for their safety due to COVID-19, to update their personal details to continue using the bank’s services.
At the time of finalising this article, the contact tracing COVIDSafe app had just been released by the Commonwealth Government and within about 24 hours, there were already reports that a COVIDSafe hoax text was circulating, asking the recipient to call a number and register their reason for being over 20km from home. The depths to which con artists sink, even in a pandemic, know no bounds.
Please click here to view a summary fact sheet on the above.
How are Australia’s regulators and agencies responding?
A number of regulators and agencies have acted in responding to this spike in online harm, each with a slightly different focus.
The Australian Cyber Security Centre has, understandably, been at the forefront of the response to COVID-19 related cyber incidents. It has published numerous guides and threat alerts for the public and for businesses about the impact of COVID-19 related cyber scams and other related risks. These have included:
- Threat update: COVID-19 malicious cyber activity, 27 March 2020;
- Threat update: COVID-19 malicious cyber activity, 20 April 2020;
- COVID-19: Cyber security tips when working from home; and
- COVID-19: Protecting Your Small Business.
Beyond its educational role, the ACSC has also been playing a lead role in actually combatting these threats. The Minister for Defence, Senator the Hon Linda Reynolds, has issued a number of media releases during April announcing the work being undertaken by the Australian Signals Directorate, through the ACSC, in mobilising its offensive cyber capabilities to disrupt foreign cyber criminals responsible for malicious activities during COVID-19. Such steps have included:
- Working with Australia’s telecommunications providers to block access to malicious websites identified;
- Working with Google and Microsoft to flag such websites used by cyber criminals as being malicious so as to warn web-users about such sites prior to visiting them;
- Engaging with hospitals and health care providers on the frontline in the fight against COVID-19 to reduce their risk of cyber compromise; and
- Providing a second layer of defence in detecting malicious cyber activity on critical Federal Government networks, including the Department of Health.
The Australian Competition and Consumer Commission, through its ‘Scamwatch’ initiative, has had its attention focused on consumers being targeted by increased scam attempts, providing education and encouraging reporting of incidents. The ACCC has warned consumers to be wary of threat actors who ‘are hoping that you have let your guard down‘ using fake emails or text messages to try and obtain personal data or financial gain.
Superannuation scams have been one particular area of risk identified by Scamwatch, with criminals seeking to capitalise on the government’s early release of superannuation measures. The regulators responsible for superannuation trustees, the Australian Securities and Investments Commission and the Australian Prudential Regulation Authority, have issued a joint letter to trustees which includes advice to be alert to possible scams, such as fraud and phishing, emerging from unsettled market conditions and member misunderstandings concerning the early release of superannuation initiative.
The Australian Institute of Criminology (AIC), Australia’s national research and knowledge centre on crime and justice, published a report (‘Availability of COVID-19 related products on Tor darknet markets‘) on 30 April 2020. This followed a survey of 20 darknet markets in April to identify the scale of sales of COVID-19 related products including vaccines, ventilators, anti-viral medicines, test kits and surgical masks. The study identified 645 listings of such products across 12 markets and 110 vendors. Some of the products listed were legitimate but involved ‘cash[ing] in on fear and shortages‘ while other products, notably vaccines and treatment drugs, would obviously be fake or at least untested. In both instances, what is involved is the use of the underground cyber world of the dark web to exploit public vulnerability to the pandemic for criminal gain.
The eSafety Commissioner has, as noted in the statistics above, revealed significant increases in reports of cyber-bullying and online abuse (for both adults and children) since physical distancing and self-isolation began. These have been exacerbated by the number of people working remotely and also, in particular, by children doing their schooling online. The latest update on 24 April 2020 from the Minister for Cyber Safety is that the eSafety Commission has seen a dramatic increase in ‘sextortion’ scams demanding a payment under threat of releasing intimate webcam captured videos.
The eSafety Commissioner has had a particular focus on the impact of online risks on children advising parents that, with more children spending time at home and online, they should use parental controls and safe search options, check smart toy settings, look out for unwanted contact and know the signs of cyber bullying. The Commissioner has released a guidance booklet: Covid-19 Global Online Safety Advice for parents and carers (Australian Edition).
At the other end of the spectrum are senior Australians who are also relying more heavily on technology for activities including video chatting with family, ordering groceries and obtaining government information updates. Cyber Safety Minister Paul Fletcher, noting that ‘[t]he online world can often be daunting for senior Australians‘, has announced that the eSafety Commissioner has worked closely with Scamwatch to incorporate advice on current scams into webinar materials to empower older citizens to navigate online services and gain greater confidence in using digital technology.
The Office of the Australian Information Commissioner has not been so focussed on the impact of cyber scams per se but more on the broader privacy implications of COVID-19. However, the OAIC, in its recent guidance Assessing privacy risks in changed working environments: Privacy Impact Assessments, has encouraged businesses to assess privacy risks arising from increased work from home arrangements, including educating staff on cyber security practices, such as identifying phishing emails.
It is a sad commentary on human nature that some might use a public health and economic crisis to cause even greater harm. It happened during the Spanish flu pandemic a century ago and is happening again now with the criminal opportunities presented by COVID-19. Australia’s regulators and government agencies have played a role in bringing these threats to public attention and seeking to thwart them wherever possible.
The lesson for both businesses and individuals is to be alert and hyper vigilant about the potential risk and, in the interests of the greater good, report to and cooperate with those Australian regulators and agencies seeking to combat these risks in a time of crisis.
This article was written by Andrew Miers, Partner and Zoe Tishler, Solicitor.