A prince offering you a share of his fortunes, a message from a long-lost friend stranded abroad who needs you to transfer money, and an email congratulating you for winning a competition you never entered.


These common tropes used by cyberattackers are now well-known, and thankfully recognised by many as scams. But once these attacks are reengineered to spoof information from the World Health Organisation, health service or government departments, phishing attempts become far harder to spot, especially in the context of a global health crisis.

troy hunt cybersecurity pandemic

Troy Hunt, creator of Have I Been Pwned

Capitalising on the pandemic

At times of public uncertainty and worry, it is not uncommon for cybercriminals to modify existing scams to capitalise on situations in the wider world. During the Ebola outbreak, those in the cybersecurity industry noted a spike in Ebola-related phishing attacks, with scammers pushing fake products and cures.


Similarly, the 2015-2016 Zika virus epidemic prompted cybercriminals to use bogus cures to trick victims into clicking malicious links, according to cybersecurity firm Symantec.

“Both the FBI and the UK National Cyber Security Centre have issued alerts regarding Covid-19 phising campaigns aiming to steal users ‘money, personal information or both’.”

With business operations abruptly moving to the digital sphere, an uptick in online shopping, and many facing uncertain situations involving both health and employment, it comes as no surprise that the Covid-19 pandemic has followed a similar trajectory.


Google says it is current blocking around 18 million Covid-19 phishing attempts on Gmail every day, with Action Fraud reporting a 400% rise in coronavirus-related fraud since February.


Both the FBI and the UK National Cyber Security Centre have issued alerts regarding Covid-19 phising campaigns aiming to steal users "money, personal information or both", with the FBI warning individuals to be particularly wary of emails purporting to be from governments.

"A perfect storm"

As a result, those in the industry have warned that, with attention often focused elsewhere at this time, cybersecurity must remain a priority.


Troy Hunt is a web security expert, best known for his site Have I Been Pwned, but also an information security author and the creator of several courses on technology skills platform Pluralsight.


Since Hunt created Have I Been Pwned seven years ago, it has grown to become a valuable resource where internet users can enter their email address and check whether it has been affected by a data breach.


Hunt launched the website following the 2013 Adobe data breach, which affected around 130 million user records. Now Have I Been Pwned has around eight billion breached records, and is used by governments, law enforcement agencies and security researchers around the world.

“With attention often focused elsewhere at this time, cybersecurity must remain a priority.”

This includes the notorious Collection #1 Data Breach, which contains 1,160,253,228 unique combinations of email addresses and passwords.


Of course, the cybersecurity community is presented with news of a new data breach on an almost daily basis. However, with many workers now operating from home on machines that may not meet the same security standards as those within the office, combined with the fact that many home workers have not been given clear guidelines on how to handle sensitive data, the risk of a breach is amplified.


Piers Wilson, head of product management at Huntsman Security has described this as a "perfect storm for increasing the risk of breaches" due to the fact that "security processes, system maintenance security audits and even front-line security operations have been disrupted" as many business processes become remote.

Image courtesy of Agung Raharja on Unsplash

Rampant phishing attacks

Once credentials make their way onto the dark web, which is likely the case for many internet users, phishing attacks become even more likely, thus fuelling those looking to capitalise on the pandemic.


In fact, The World Economic Forum has warned that the world should be prepared for a "Covid-like global cyber pandemic that will spread faster and further than a biological virus".


Hunt echoes the views expressed by many in the cybersecurity community that those with malicious intentions have seen the Covid-19 pandemic as an opportunity for exploitation, due in part to a rapid switch to remote working.


“A combination of factors have been amplified due to Covid-19,” he says.

“Phishing attacks targeting people’s concern about the pandemic have been rampant with a significant uptick in abuse of less technically savvy users.”

“For example, phishing attacks targeting people’s concern about the pandemic have been rampant with a significant uptick in abuse of less technically savvy users. Remote working has also posed an opportunity.


“As a result of a workforce that’s suddenly found themselves working remotely, attacks that exploit the increasing dependency on publicly accessible online services such as the explosion of hacking online video conferencing tools have increased.”


According to the UK National Cyber Security Centre, although the overall levels of cyber crime have not increased, it has detected more UK government branded scams relating to COVID-19 than any other subject.


Furthermore, according to Mimecast Threat Intelligence, there was an almost doubling of unsafe clicks on email links, suggesting that, for some scammers at least, this type of attack is proving successful.


Get Safe Online, a public and private sector partnership that provides resources on protecting against fraud, has warned that fake messages from NHS test and trace staff, malicious links to video calls, emails telling you that you have been fined for not observing lockdown rules and bogus offers of coronavirus insurance have all been used to defraud unsuspecting victims.

Tried and tested techniques

Hunt explains that many hackers are deploying well-known techniques for a new purpose.


“A lot of this is tried-and-tested techniques applied to a new paradigm, for example, social engineering exploiting Covid-19 fear and uncertainty,” he says.


“Phishing emails and texts have been on the rise as fraudsters seek to take advantage of this doubt and pose as reputable organisations such as banks or phone providers asking for people’s passwords, pins and other personal information.”


The financial cost to those affected can be significant, with The National Intelligence Fraud Bureau reporting that between the beginning of February and 1 June, £5m was lost to Covid-19 scams in the UK.

“Financial crime is increasing, with online identity fraud becoming more and more prevalent.”

Hunt explains that the impact of this goes beyond the initial financial loss.


“Financial crime is increasing, with online identity fraud becoming more and more prevalent. Besides the loss of money that this can sometimes result in, these crimes can also impact people later on if their credit score is affected,” he says.


“This can happen if a fraudster takes out credit in someone else's name which can lower this victim’s credit score either because they are shown to have the need for more credit or being associated with another’s person’s poor credit history. It is therefore important for people to be extra careful where they choose to store their personal information online and the passwords that they create to protect this.”

troy hunt cybersecurity pandemic

Image courtesy of Simon Abrams on Unsplash

A healthy degree of scepticism

Hunt's advice for approaching Covid-19-related emails can be applied across most areas of cybersecurity: good password practices, along with a healthy dose of scepticism, are key.


“Treat messages related to the pandemic with a healthy degree of scepticism, especially when they may impact the health of your finances,” he says.


“Never give out your pin or password and if you are suspicious of any messages, downloads or links do not click on them.”


Hunt has also voiced his opinions about the use of contact tracing apps, and the privacy and security concerns they have raised, tweeting that he would “willingly run” the TraceTogether app, the coronavirus tracing app launched by the Australian government, but that there are some “very valid concerns” about contact tracing.

Looking beyond the pandemic

It is difficult to find an industry that has not undergone change as a result of the pandemic. But how can the cybersecurity community emerge from the pandemic better prepared for the future?


A report by Deloitte on Covid-19's impact on cybersecurity has highlighted that there is a risk that in the face of economic uncertainty businesses could fall into the trap of "downsizing by cutting off business lines considered as non-critical which may include cybersecurity operations." However, at this time organisations must strengthen their defences against cyberattacks.


According to a survey by Bitdefender, 81% of infosec professionals believe that Covid-19 will change the way their businesses operates in the long-term.


Piers Wilson, head of product management at Huntsman Security has urged businesses to continue to prioritise security as the pandemic continues and beyond.


“Businesses must ensure they are monitoring their systems closely for potential breaches, so they can respond quickly and avert further disruption to their organisations,” he says.

“People seek out the path of least resistance, even when it may be a detriment to their cyber hygiene.”

“They must also ensure that they have sufficient visibility of the operation of security controls in both their own networks and across their supply chains (who are also re-arranging IT systems during and post-lockdown).


“It might look as though things have quietened down from a cybersecurity perspective compared to the beginning of the pandemic, but the fact is that the risk is as high today as it was 3 months ago – if not higher. Businesses must continue to keep systems secure as a priority.”


Post-Covid-19, Hunt believes more needs to be done to combat the issue.


“A combination of better education, better tooling and technologies that decrease our dependence on weak verifiers such as passwords,” he says.


“For example, many modern smartphones now have biometric features which don’t eliminate passwords, but it greatly reduces our dependency on them. It is also important that while the industry makes the move towards different forms of security, password managers are used. These can ensure the safety of different accounts even if one is compromised by generating strong individual passwords and keeping track of all of them for you.


“Because both of these things require a behavioural change and introduce friction to the login process. People seek out the path of least resistance, even when it may be a detriment to their cyber hygiene. People in the UK are most likely to only rotate two to three passwords for all their online accounts, with only 29% having 5-10 different passwords for their online accounts.”

Cover image courtesy of Sharon McCutcheon on Unsplash

Back to top

Share this article