The COVID-19 crisis is driving changes in the routines of institutions and individuals, as businesses, educational institutions and other organisations recommend or require employees to engage in social distancing in a collective attempt to minimise the spread of the virus. As well as having global socioeconomic effects, these changes in routine create opportunities for crimes. In this blog, Dr David Buil-Gil, Professor Nicholas Lord, Professor Emma Barrett, Professor Daniel Dresner and Brian Higgins examine what these new crime opportunities might be, and how we might mitigate the impact of digital security issues.
- The move towards home working is affecting a large proportion of the population, and we can expect residential burglaries to decrease and domestic violence to increase in the coming weeks.
- The number of cyber security incidents is likely to increase in the coming months, given the growing number of employees working from home.
- Organisations asking employees to work from home should make sure they alert employees to the risks they may face when conducting their activities from home.
- Individuals and small businesses need to be aware of attempts to entice them into parting with their cash.
- The UK Government needs to identify and disavow attempts to target businesses and individuals – especially as some have done so by masquerading as UK Government departments or agencies.
Home working, routine activities and cyber-victimisation
The move towards home working is affecting a large proportion of the population. Those directly affected by the virus are encouraged to self-isolate, and many companies are asking employees to work from home. This has obvious impacts on citizens’ offline and online routine activities. For instance, many people will now be using their personal computers to access business information and web conferencing will be taking the place of in-person meetings. The number of people out on the streets will decrease dramatically and online shopping will likely grow as a way to purchase products and services. Businesses will most likely remain empty while homes will be occupied most of the time. All these changes are already affecting opportunities for crime.
The volume of residential burglaries will probably decrease in the following weeks, given that many will remain at home throughout the day and serve as guardians of their households. Pickpocketing is also likely to decrease around tourist attractions with fewer people to target. Nevertheless, the COVID-19 crisis may have the opposite effect on burglaries at businesses, since shops and companies may be targeted by criminals given the extended time that these remain empty, and domestic abuse rates are likely to grow.
The fact that many employees will begin using their personal computers and laptops to conduct business-related activities from home is also likely to increase digital vulnerabilities and cyber-victimisation. Many personal computers suffer from poor software protection, whereas office-based business-owned computers tend to be better protected against computer viruses. For instance, our preliminary analyses of the UK Government’s Cyber Security Breaches Survey suggest that companies that allow employees to use their personal computers to conduct business activity increase the likelihood of suffering cyberattacks by more than 20 percent. So we can expect the rate of cyber security breaches to increase in the coming months. But there are other cyber crime-related issues that are also likely to arise.
Online frauds and phishing
The internet allows for an increased visibility and accessibility to crime targets due to the absence of online guardians and the frequency and variety of everyday activities that users conduct online. If the COVID-19 crisis multiplies the number of users of e-commerce systems, either because persons with symptoms are self-isolating or because citizens spend more time at home to prevent contagion, it is also likely that new opportunities for online fraud will arise.
One may expect that the more online shopping there is, the more opportunities for cyber-criminals to target victims online. Moreover, the growing concerns about the spread of the virus create new opportunities for the selling of fraudulent coronavirus-related products. UK Action Fraud (the UK’s reporting centre for financial cyber crime) has so far identified more than 20 scams directly related to the pandemic, with victims’ losses greater than £800,000. The most prevalent example is the selling of disposable dust or surgical masks instead of recommended protective equipment, or the selling of masks that are never delivered. Other examples are the selling of bogus coconut and kale ‘cures’. Amazon has already removed more than one million fraudulent products. Moreover, cryptomarkets, which are typically used to pay for drugs, computer viruses and credit card details, are now being used to sell surgical masks and even coronavirus-infected blood.
Cybercriminals abuse public concerns about coronavirus in phishing campaigns, with bogus emails (see Figure 1) deployed to harvest login details from victims. Offenders also exploit the altruism of those who want to help: Kaspersky has reported fraudulent emails asking users to donate Bitcoin to support the finding of a vaccine. There are also reports of online ‘coronavirus maps’ designed to disseminate malware and steal passwords.
And criminals will entice victims with almost-credible promises in forged government notices, such as the one below in Figure 2.
Figure 1. Fraudulent email
Figure 2. Forged Government notice
What can organisations do?
The most effective strategy to prevent cyber crime is to develop training and awareness programmes specific to internet exposure risks. So, organisations asking employees to work from home should make sure they alert employees to the risks they may face when conducting their activities from home. Point them towards reputable sources of guidance. For instance, Action Fraud, the Financial Conduct Authority and National Cyber Security Centre (NCSC) have published tips to prevent fraud and phishing scams during the coronavirus crisis.
Ideally, organisations should also provide equipment and software for employees to work from home, but in these extreme circumstances, many employees will need to use their own devices. NCSC has published guidance for organisations on developing a ‘Bring Your Own Device’ policy, much of which will be relevant to people working from home.
What can individuals and small businesses do?
Individuals and small business owners should put in place short-term measures such as taking snapshot backups and assuring access to the work of colleagues who may need to take time off sick. Doing this without messy password-sharing is essential.
In addition, they need to be aware of attempts to entice them into parting with their cash. When buying goods, they should use reputable suppliers to avoid supply frauds. It is essential to be cautious when dealing with emails asking for money or to authorise a financial transaction. In such circumstances, a quick phone call to a reputable number to check the request is genuine might save you losing money to criminals.
What can the Government do?
The UK Government needs to move quickly to identify and disavow attempts to target business and individuals. The cooperation with e-commerce providers will be key to prevent fraudulent products from being advertised, and UK Government agencies should establish dialogue with insurance companies to ensure that these can manage the impact of COVID-19 on their operations while protecting consumers’ rights.
It is key that agencies such as Action Fraud, the Financial Conduct Authority and NCSC keep updating their guidance on this. To reduce offline risks, businesses will no doubt be reviewing the security measures at premises that will be left empty.
In order to mitigate the impact of social isolation on women and children experiencing domestic abuse, many charities offer opportunities for support via online methods, but they need resources to continue, and local governments and police must also play their part. At a time when council and emergency service resources are stretched to their limits, responding to intimate partner violence could easily be forgotten. The government must ensure that it is not.