The COVID-19 pandemic not only posed a public health crisis but also created cyber scam opportunities for cybercriminals to exploit the vulnerable in the rapidly changing digital environment
With the outbreak of the pandemic, cybercriminals quickly identified ways to exploit the public. As supply shortages of test kits emerged, scammers were ready to fill the void with counterfeit products. This set the scene for an explosion of offenders posing as government agents, health officials, and delivery companies, preying on people’s trust and their need for essential supplies.
The number of phishing emails and text messages sent exploded, with phishing attacks increasing by 220%. Victims received fake vaccinations and government handout offers to encourage them to hand over valuable financial information. Unaware of the danger, many trusted the people contacting them and handed over details with little hesitation.
Not only did they exploit the vulnerable, but they also exploited the insecure practices to which we have become accustomed. Companies and governments have, by default, trained us to accept their methods of communication and engagement, often using emails and text messages that urge immediate action and display the same attributes as those sent from cybercriminals.
The biggest cyber scam targets
During this period, financial services and fintech companies became prime targets. Cybercriminals saw opportunities to exploit the digital nature of these services, enabling them to hack accounts and access the financial information of vulnerable individuals.
The most targeted group were older individuals. Criminals exploited their limited digital literacy to access their account information or impersonate them through online banking channels. Furthermore, financial services firms dealing with pandemic-related issues could not respond and improve their security methods fast enough to see off the threat, leading to more successful cyber scams and greater efforts by criminals to obtain private financial information. Consequently, impersonation scam cases doubled to 39,394 in 2020, driven mainly by vaccine-related texts.
For many older adults, vulnerable and single individuals, social distancing rules worsened the situation. Victims didn’t have family members close by to assist them or protect them against suspected phishing, scam calls or romance scams. Consequently, victims experienced a 32% increase in investment scam cases and a 38% increase in romance scams (where scammers pretend to be legitimate prospective partners but then ask their victims for money over the Internet).
The losses from the pandemic were substantial. UK data suggests Authorised Push Payment (APP) fraud losses totalled £479m, around 5% higher than the previous year. Banks only returned £206.9m to customers, but most losses accrued to victims.
Financial services
The increasing sophistication of cyber scammers, particularly with the advent of generative AI, poses significant challenges. Although financial services firms have implemented advanced fraud management and trust and safety technologies to detect anomalies across devices and user behaviors, there are still fundamental weaknesses that need improvement.
Firstly, there is a need to continue to invest and implement more robust awareness campaigns, a strategy many banks and lenders already adopt routinely. Companies must consistently warn users about the risk of cyber scams during transactions. This effort should not be sporadic; education must be a collaborative, ongoing effort between industry and government.
Secondly, companies must change how they engage with their customers. It is no longer acceptable to communicate in ways that could inadvertently expose and train customers to fall victim to fraud. For example, a cryptocurrency exchange might send users promotional activities via email, SMS, or push notifications, including a link that prompts the users to log in to activate the promotion. This method mirrors the tactics used by cyber criminals to phish for user details. To counter this, marketing strategies must evolve to include clear, direct communications that encourage users to independently navigate to the website and log in, training them to never click links to interact with their brand.
Third, there needs to be a collective effort between industry and government to adopt stronger methods of authentication. Educating users about tools like password managers, which allow for the maintenance of singular, complex, and unique passwords for each website, is essential. Additionally, TOTP (Time- Based One-Time Password) and hardware device tokens enhance multi-factor authentication by generating codes that do not rely on potentially insecure emails or messages. Furthermore, we should overhaul our current practices by promoting the adoption of passkeys – a secure, ‘password-less’ method for authenticating user accounts. With the government’s role in educating the public and the industry’s push to support this new secure authentication method, we can collectively reduce our citizens’ exposure to these attacks.
Finally, fintech companies can implement more robust reporting methodologies. These ensure firms collect a repository of information about suspicious accounts, agents, or activities and prevent potentially harmful transactions from occurring if they believe they aren’t in the interest of their clients. Approaches like these require proper reporting, computerisation and, possibly, the implementation of deep-learning systems.
Government initiatives
The government has a complementary role in preventing threat actors from accessing and exploiting individuals’ financial information. Authorities can install systems to reduce the overall instances of fraud across the financial network (and the incentives of those perpetrating it).
On the enforcement side, governments could increase the resources devoted to cybercrime and prosecuting criminals, focusing on upskilling the existing workforce. Additional resources and stricter penalties might deter some individuals from taking advantage of situations like the pandemic, especially if there are more severe penalties for attacking critical infrastructure like hospitals.
On the prevention side, governments can improve regulation and legal frameworks. Singapore is a world leader in this regard; the country recently introduced its MAS Shared Responsibility Framework (SRF) to improve collaboration between the government, fintech firms and users to boost the security of the financial system. This framework importantly establishes a transparent structure for the responsibility model that all stakeholders need to adopt, reducing ambiguity and finger-pointing when threat actors are successful.
Telecommunication companies must also play a crucial role, given the numerous phishing attempts via text and phone porting. Companies in this sector should verify the sender’s ID, allowing only authorized aggregators to ensure messages originate from legitimate sources. Additionally, telecommunications firms must prevent such messages from reaching their users at the source.
Lastly, telcos must implement anti-spam filters. These detect malicious SMS links and prevent recipients from clicking on items that could harvest their sensitive financial information.
Whistleblowing and early detection
At the beginning of the pandemic, as these cases increased significantly, individuals working in financial crime, fraud management, security, and trust and safety functions witnessed the impact in real time. Unfortunately, there was often a lag between identifying new emerging risks and the urgency being downplayed by middle management, which resulted in a significant gap between identification and getting the appropriate resources to respond.
The implementation of whistleblowing software solutions, such as Confide whistleblowing software, improves the flow of information by providing individuals with a channel to report serious risks. These tools enhance risk awareness and enable timely communication. Overall, this improves the data points available to the Board, Risk, and Audit Committees, providing critical insights into emerging threats at an early stage and allowing for a rapid response.
Lessons learned
The pandemic taught financial service firms and the government how vulnerable people were to cyberattacks. For criminals, it was open season to steal their victims’ hard-earned savings.
To prevent this, companies and the authorities must implement proactive measures to reduce the number of successful crimes. Blocking phishing, educating customers, adapting technology and implementing early detection tools are essential to prevent similar episodes from occurring again.
