Going fishing has been heavily discouraged under the COVID-19 restrictions but the online version has taken off, with opportunistic cyber-criminals using the crisis to their advantage.

“Phishing” is a social engineering scam that deceives victims to obtain their data such as login credentials and personal details. Criminals impersonate trusted parties and send emails or text messages (smishing) which use malicious links and logos, similar to the spoofed organisation, to steal personal data or install malware on the victim’s system. As a result, the hackers steal sensitive information which can be used in several harmful ways, such as identity theft, fraud and extortion.

Since the COVID-19 crisis took off, phishing scams have spiked by over 60% according to those monitoring the dark web.  This particular method of cyber-crime has increased for a number of reasons: people are spending more time online in lockdown, they’re hungry for any information on COVID-19 and how to survive it, they are receiving a large volume of contact from Banks and other businesses providing updates on their operating hours and COVID-19 responses, and people are away from their more protective work IT environment. As a result, individuals are more vulnerable to phishing and smishing attempts, especially those that purport to have valuable information, advice or warnings about the pandemic.

The requirement to undertake children’s education from home and most people now working at home means the risks of a personal cyber-attack have grown significantly. Some of the risks arise from the nature of the tools you’re using. Your home devices almost certainly don’t have the same degree of protection as your work environment does and, away from the IT department and enforced multifactor authentication, regular backups and stringent anti-virus processes, your home usage poses increased risks of ransomware or virus attacks.

Phishing is the biggest threat. There are over 2,500 live phishing sites operating globally, including 223 specifically related to COVID-19. International criminal groups are actively targeting households, and these are not just nests of 1-2 disgruntled hackers – they are run as sophisticated businesses.

COVID-19 is not the only popular current choice of “bait”; lockdown has seen home video services rocket in popularity, with an accompanying surge in Netflix-related scams, where, for example, you win a free Netflix account and download an app that then proceeds to take you to the cleaners.  With people of all ages active online at home, and young children potentially accepting these lures, the risks are high.

Vigilance about these threats is an important part of your personal cyber armoury, and there are also several ways you can shore up that home IT platform:

• protect your passwords and login credentials, using password protection software – but ensure it is legit
• rely on genuine news sources for COVID-19 information and maps
• use multi-factor authentication (MFA) – a strong password isn’t enough on its own, have a backup check like a code sent to an app
• monitor to check if you have been breached and hackers are trading your data
• keep software on all devices up to date including antivirus
• sign up to CERT NZ and Netsafe to receive updates on cyber risks and remedies
• backup your data regularly
• don’t open anything you’re unsure about – delete the email, block the sender if it looks dodgy, and train other family members young and old to do the same
• report any cyber incidents to CERT NZ.

Sobering stats

That set of precautions (which is not exhaustive) may seem like a lot of effort over “a few hackers” but the stats are chilling. In 2019 there were almost 5,000 cyber-security incidents in New Zealand, and these are only those that were reported to CERT NZ.  The biggest proportion of the reports were phishing and credential-harvesting attacks, with a financial loss of almost $17 million.

The 2019 findings of a Symantec Corporation report, which studied cyber-crime in 16 countries including New Zealand, are equally worrisome. The global report found there were 800 million victims of online crime, and 117 million of those related to identity theft, while almost 40% suffered financial loss. The stakes - in terms of cost and misery - are high.

It’s worth remembering that phishing isn’t just about hooking the whopper straightaway; hackers prize even seemingly small bits of information they can extract from you, as they compile a dossier that eventually enables them to reel in the big one.

Don’t take the bait! The historic advice on phishing - to NOT open any email, attachment or link to a website you’re not sure about - is now even more vital, so you and your family can stay cyber safe during the pandemic.