One of the services we offer is web hosting. As the custodian of our customers’ websites one of the times of year we dread most is Christmas – we always see a massive spike in suspicious traffic and attempts to hack into websites. The kind of people who feel they need to make a living doing this sort of thing assume the days around Christmas and New Year are when hosts and site owners will be at their least alert and have their minds on other things (mistakenly, in our case). This kind of cynical logic, unfortunately also applies to the Coronavirus pandemic. We’ve seen a large increase in suspicious activity at a time where people are generally distracted and our systems have been reporting endless attempts to breach security – none of which have succeeded. As people are dying and watching their livelihoods evaporate, some people are rubbing their hands together and looking for ways to exploit the situation.
It’s not just hardcore hack attempts against the servers that have increased. A whole raft of “softer” scams have emerged in the form of fake emails and texts designed to harvest individuals’ personal details and passwords to services or to download apps which can take over your device. This is known as “social engineering” – in effect, they target the weakest part of a secure system: its human users.
Email fraud is an ever-present nuisance. Scam or “phishing” emails usually take the form of a warning from your bank or a company like Apple, Google or Microsoft (who most people are likely to have an account with) saying there’s something you need to check in your account (expired credit card, special offer, etc.) and you need to log in by clicking a link. The link will take you to a page which is an exact copy of the company or bank’s login page. Entering your password and username here will simply send those precious details directly off to whoever is running the scam and give them instant access to your account to use themselves, or, more likely, to paste into a list full of stolen identities which will be traded online – possibly to several buyers. The page might even redirect to a page on the actual site you thought you were on afterwards to cover its tracks. This is why it’s social engineering. There has been no hacking of any system involved. You have just been made to feel perfectly happy to give away all of your private details to somebody.
Most of these fake emails feature poor styling or branding which a reputable company would never have allowed to be sent out but a lot of them do look pretty convincing. They also usually have spelling or grammatical errors which give them away. Interestingly, we originally just assumed this was because the scammers were not aware of the subtleties of English (after all, it might be hard to hire a professional translator or copychecker to go through their illegal text) but there is a school of thought that says that the scammers are actually cleverer than that and are doing it on purpose: if the recipient of the email is unable to spot simple errors in spelling and grammar then they are of an intelligence level which will make them easier to dupe. Whether this is true or not, you should still look at the branding of the email, accuracy and also style, tone and content of the text. Is it what you would normally expect from whoever it’s supposed to be from? Is it likely that what they are asking is really true? Have they put a time limit on any action they want you to take to add deadline anxiety? Remember how hard it usually is to get in touch with your bank and all of the security questions you have to endure if you have a genuine enquiry? Is it really going to be as easy as clicking a link in an email to get into your account?
Another, more technical way to spot a fraudulent email is to look for the Call to Action (the bit that tells you to do what they want you to do) which is usually to click a link or button. Instead of doing that, hover over the link and wait a second or so. Several email apps will show a popup bubble which displays the actual link in it. The link will be to somewhere obscure rather than one connected with the organisation the email is pretending to come from (e.g. if the email seems to come from NatWest but the link is something like http://natwest.login25.com/here/ejjjwlwop?a=huhiooonj). If this trick doesn’t work on your device or email app, you can still copy a link without actually clicking it and then paste it somewhere to have a look at it without having to visit a potentially dangerous site.
One step up from these emails are fake shops. According NCSC (The UK’s National Cyber Security Centre) over 470 new web shops sprang up in March 2020 selling items purporting to be connected with Coronavirus such as PPE, tests and vaccines…all of which are either fake items or products which only exist as photographs stolen from other sites. We have also seen requests for charity donations. The sites are just there to harvest your personal information or get payments from your credit card (or both). Additionally, once you have paid for something, your card details are stored and, like your login details, can be reused or sold on to other criminals.
Over 2,500 domains have been speculatively registered to take advantage of the crisis such as:
These all should have been taken down by now, but still don’t try looking!
We have also seen scammers move to texting victims. One we saw personally was about a tax rebate which seemed to come from gov.uk but went off to a clone of that site and asked for personal details. Texts which ask you to reply or call back (even if that’s to request that they stop texting you) may be sending you to a premium rate number which you won’t find out about until you get your next (massive) phone bill.
Video conferencing has also seen a huge boost with businesses using online tools to keep in touch with each other and their customers. Zoom and other conferencing apps have seen an enormous surge in popularity, but be careful. We’d say now isn’t a great time to start using a brand new piece of software or networking infrastructure without being fully aware of its security and privacy implications…and, if you’re a business, training all of your staff who are new users properly. Once again, hackers and scammers have a head start and already know how to get into these things (or, in some cases, have even written the apps themselves). If you haven’t already got a tried-and-tested VPN or videoconferencing setup in operation, don’t rush into anything without researching it just to feel like you are doing something you have to do…especially if you only heard about it from an unsolicited email!
It’s sad that some of the first stories we heard from the lockdown were of people knocking on isolated pensioners’ doors and asking them if they needed shopping doing, only to run off with their money. This small section of society will always be present and any simple home-made scams that happen in real life are usually duplicated, multiplied and refined across the internet for maximum effect.
It’s worth noting, that the NCSC say that we haven’t actually seen an increase in cybercrime per se – just that the people doing it have jumped onto a new bandwagon and are looking at a fresh new set of victims who are in a different environment, using unfamiliar software and mixing home and work life online.
It’s become customary to end a message or phone call with the words “stay safe”. It’s worth applying that to your online life as well.