Most people have heard the old saying “never let a good crisis end”, often in relation to a political agenda. But with the outbreak of the Covid-19 pandemic, cyber criminals have followed the advice.
“This pandemic forced 10 years of digital transformation in three or four months,” said Jeremy A. Grant, director of technology business strategy in the cybersecurity practice at Venable LLP, which he described as a boutique cybersecurity advisory practice at Venable that works closely with attorneys . Grant also ran the program office for the National Strategy for Trusted Identities in Cyberspace, an initiative of the Obama administration.
Grant said when the pandemic hit, companies had to mix and match to secure their networks. On the consumer side, there was “direct fraud that went hand in hand with the virtual elimination of personal transactions,” he added. Everything from government services to the financial sector to retail has shifted online. Criminals took advantage of the fact that many of the online identity verification tools “aren’t as sophisticated as we’d like them to be”.
State unemployment systems have been particularly hard hit as most of them lack good online screening tools, Grant noted.
A march Update from the US Department of Labor states that “at least $ 89 billion of the estimated $ 896 billion in [unemployment benefits provided in response to the pandemic] could be paid inappropriately, a significant part of which is due to fraud. “And only if the percentage of improper payments is in line with recent trends. The real number is likely to be much higher.
“States are bleeding money,” Grant said.
To make matters worse, states have been slow to get over the clutter of fraudulent claims, which means legitimate applicants have had to wait for unemployment benefits and then wait a little longer. If people can’t sort out the state’s identity system, they’ll be stuck in “this Kafkaesque hell” for months, where they can’t prove who they are and can’t pay their rent.
Cyber grippers haven’t limited themselves to unemployment benefits either. Overall, identity theft losses rose from $ 502.5 billion in 2019 to $ 712.4 billion in 2020, a 42 percent increase, “primarily due to the COVID-19 pandemic,” it said a survey and report from Aite Group LLC, a research and consultancy firm. The report also estimates that identity theft losses will hit $ 721.3 billion in 2021, before rising to $ 621.3 billion in 2022.
The cyber crime explosion does not surprise Joseph V. DeMarco, a partner in DeMarco Law, PLLC, who advises clients on issues such as privacy and security, computer intrusion, and online fraud. DeMarco is also a faculty member for the Practicing Law Institute’s programs on cyber law.
Cyber criminals will “use the fact of the pandemic to trick people into doing things like clicking a link or replying to an email” to get their sensitive personal information, DeMarco said. It saw the same gains after the September 11th terrorist attacks and Hurricane Sandy.
“The reason some of them are so successful is because they play with people’s compassion, fear and desire to do something in a difficult situation,” said DeMarco. “Especially in the early days of the pandemic when everyone was thinking, ‘Do I have enough canned beans in my closet?'”
Fraudulent messages from government agencies are a common ploy, DeMarco added, such as a fake warning from the Centers for Disease Control or the state health department. People see alleged information about the pandemic, fear takes precedence over caution, and they click. Most recently, these tricks were linked to the Covid-19 vaccine.
Government loan programs have also been used by criminals who could trick people into submitting a fake application to collect personal financial information or use fraudulently obtained information to apply for loans to which they are not entitled, DeMarco continued.
Grant reported that phishing attacks have skyrocketed in recent years. In addition to pandemic-related news, the bait could be pornography, hair loss drugs, and “anything they think people will click on,” he said.
For a long time, injecting malware into a person’s computer and phishing were neck to neck methods of choice for cyber criminals, Grant explained. “Then we reached a tipping point when phishing increased exponentially.” Malware requires a certain amount of sophistication, he said. Phishing is easier. If a cybercriminal “sends thousands of emails and only gets a small percentage to click, that’s still a good result.”
Remote work and cyber hygiene
And of course, the proliferation of work from home created problems during the pandemic. “It is imperative that people work on secure computers,” said DeMarco. Organizations need to “ensure that computer systems are up to date with anti-virus software that is being managed by the IT department”.
DeMarco also recommended that employees log in using a secure connection – a virtual private network or VPN as opposed to a website.
In a recent article on cyber hygiene cited with permission and cited here with permission, DeMarco said employees must avoid using personal email accounts. “Lots of major webmail providers have. . . Data breaches have suffered over the past few years, and these off-site email accounts typically lack the robust protection that centrally managed business accounts often provide, such as: For example, multi-factor authentication or protocols that a forensic investigator can use to determine the cause and extent of a breach. ”
Cloud-based backups for PCs can also cause problems. “Files may even be synchronized from the employee’s PC to the cloud without their knowledge. Employees should be advised to search these accounts for work-related data in their personal cloud accounts and delete them permanently, ”the article says.
If a company does not instruct its employees to adhere to these protocols, litigation can very well result. “It really depends on how [a breach] happened, ”said DeMarco. “If you fall victim to a fraud through no fault of your own, you may have recourse to the person who made the fraud possible.”
He offered the example of a client whose property closure had gone wrong. “Just before closing, they got an email from someone telling them where to send the money, but the lawyer system was hacked by bad guys.”
As a result, funds have been misdirected. In such a case, “the seller’s lawyers may have some liability to the buyer for their system being hacked,” DeMarco said. It all depends on the facts, but failure to train staff on good cyber hygiene would certainly not help.
Online verification improvement
Aside from simple precautionary measures that employees can take at home, companies and public institutions are working hard to improve online verification systems. The federal government’s latest coronavirus stimulus aid package included nearly $ 2 billion Enhance cybersecurity. Grant noted that there were good commercial services to help governments and businesses solve this problem.
He also mentioned the FIDO Alliance, which on its website describes itself as “an open industry association with a focused mission: authentication standards to reduce the world’s over-reliance on passwords”.
According to Grant, FIDO – Fast Identity Online – is an industry standard developed and supported by governments and more than 250 companies, including technology titans Microsoft, Apple, Google, and Facebook, and “Anyone who makes a browser, any company that does it manufactures chips as well as a number of major banks, payment companies, and security providers. “
The alliance has agreed on a number of standards that are now embedded in almost every device you buy. According to Grant, on-device biometric matching is combined with public key cryptography to enable password-free authentication that is both more secure and easier to use. The FIDO standards introduced eight years ago have gained significant acceptance worldwide.
“I’m a little optimistic,” said Grant. “We can look for new means of verification. The industry has worked hard to achieve something better. “
For the most up-to-date information on cybersecurity, see the PLI programs: Twenty-Second Annual Data Protection and Cybersecurity Law Institute and Cyber Security Lawyer Best Practices 2021. Click here to view more programs.
Elizabeth M. Bennett was a business reporter who turned to legal journalism while covering the Delaware courts. That blow inspired her to go to law school. After spending a few years practicing law in the Philadelphia area, she retired to the Pacific Northwest and returned to freelance reporting and editing.