Tackling the Covid Cyberfraud Pandemic

The Covid-19 lockdown has led to an explosion of fraud and abuse, both on-line and in the “real” world.  Before Test and Trace is fully operational it is already being spoofed .  The problems are not confined to the UK.

Around the world organised crime has adapted  to exploit the opportunities to  pillage central and local government relief programmes, private sector organisations with large numbers of homeworkers, SMEs and charities as well as all those consumers those herded on-line to be fleeced in the isolation of their homes.

A Computer Weekly article on scams targeted at home-based workers (e.g. “Medical leave application”, “Regarding Job …”, “Applying for Job” …) 2.5% of over 10,000 domain names registered last month with Covid/Corona in the title are known to be malicious and a further 16% are “suspicious”.

The NHS is trusted in a way that Apple/Google are not

Much recent publicity has been devoted to claims that the Apple/Google approach is somehow more secure and less of an assault on personal privacy than that proposed by the UK Government. I recently blogged on why Bluetooth, with its known security problems, not Data Protection was the problem with mobile phone apps.  In an previous post on whether protecting data or protecting lives should have priority I referred back to an excellent posting in April by Ross Anderson (inter alia privacy advisors to the BMA) on Contact Tracing in the Real World. The British public appears to share our mistrust of both the technology and its vendors.

The initial findings of an apparently robust study (by academics from the Universities of Warwick and Birmingham) into what the UK public really thinks about tracing apps have been available on Github since the 18th May: “61.6% believed Apple and Google would be somewhat or extremely likely to access the data for other reasons … This level of distrust is much more pronounced than the distrust in government.

By contrast 84.2% would probably or definitely be willing to share with the NHS. Sharing with “researchers” was more acceptable than with local or national government. Sharing with other users was significantly less popular than either. Over half were moderately or extremely concerned that other users could re-identify them. Only 15% expressed concern about re-identification by the NHS.

Depending on how the question is asked, between 2/3 and 3/4 of participants in the study would be probably or definitely download an app, with only 17.6% saying they would probably or definitely not (9.6 would opt out of any contract tracing app).  But the recipient of any shared data, however anonymised, determines acceptability.

Spoofing an NHS Branded Service is therefore one of the biggest risks for UK plc

The risk register for the Privacy Impact assessment for the Isle of Wight pilot has been heavily criticised for what it left out. It is now apparent that it did indeed leave out the biggest risk – that of fraudsters tricking the UK public to sign up to imitation apps in the absence of well protected and authenticated processes for signing up to a genuine NHS branded app.

Police and trading standards have already warned of on-line and off-line impersonation of those offering testing services or demanding access as part of tracing operation.

The City of London Police said “Whilst it is possible for criminals to fake official phone numbers, they cannot fake official website addresses. We would encourage anyone with concerns about a phone call, text message or email they have received, in relation to Test and Trace, to check the website address being provided to you carefully. If possible, type the official address, which will be https://contact-tracing.phe.gov.uk followed by unique characters given to you, directly into your browser.”

Three years ago large parts of the NHS were paralysed, some for weeks on end, by an “accidental” ransomware attack. Six months later a survey by Agari found that almost none of many organisations that make up the NHS had implemented e-mail authentication to prevent impersonation. In January 2020 the NHS Head of Digital blogged on progress but also indicated the scale of the challenge in securing the systems of the NHS. Shortly afterward the nature of that challenge, including delays in compliance with mandatory guidance on e-mail authentication was publicised.

There has been significant progress since. On  21st May the Minister told Parliament that NHSmail (used by 90% of the NHS in England) had implemented DMARC, with policies set to reject emails that fail the DNS checks. She also said that “Within all of health and social care there is a secure email standard to ensure email is securely exchanged. The information standard is published under section 250 of the Health and Social Care Act 2012 and all NHS organisations are required to give due regard to the standard. It also requires NHS organisations not using NHSmail to have a DMARC policy of ‘quarantine’ and an agreed timeline for implementing a ‘reject’ policy.

But a “standard” and a “policy” do not mean compliance. And the answer only applied to England.

It is a major step towards removing one of the most egregious vulnerabilities to systemic fraud within and against the NHS itself – but the NHS is only part of the Test and Trace operation. And the NHS is only one of the UK public sector operations (national and local) exposed to Covid-related fraud.  Meanwhile it is said that half the UK workforce was now remote working and a third of SMEs have fallen victim to phishing attacks, half of them Covid related.  And all those large organisations (whether public or private) which moved rapidly to enable staff (and, in the case of education, pupils and students) to work from home without implementing DNS checking (DKIM, SPF , DMARC and the necessary checking services on their e-mail routers) have unnecessarily exposed themselves to fraud by those impersonating their corporate e-mail services and those of their customers, suppliers and partners.

The scale and nature of attempts to compromise the health care services in the UK and USA is such that the NCSC has also issued an advisory notice on the need to combat “password spraying” attacks.

Current guidance for checking that you really are dealing with Test and Trace.

It may not be possible to know for certain that the text or call you receive, supposedly from one of the NHS Test and Trace team is genuine but the guidance on the website describing the service is clear and unambiguous

Contact tracers will never:

  • Ask you to dial a premium rate number to speak to us (for example, those starting 09 or 087)
  • Ask you to make any form of payment
  • Ask for any details about your bank account
  • Ask for your social media identities or login details, or those of your contacts
  • Ask you for any passwords or PINs, or ask you to set up any passwords or PINs over the phone
  • Ask you to purchase a product
  • Ask you to download any software to your device or ask you to hand over control of your PC, smartphone or tablet
  • Ask you to access any website that does not belong to the Government or NHS

The risk of impersonation is, unfortunately all too real. A City of London Police spokesperson said:

“Unfortunately, criminals will exploit every opportunity they can to defraud innocent people of their money, or steal their personal details.

“This government service is extremely important in the fight against coronavirus and it’s vital the public get on board with it. However, we understand the concerns people have about the opportunity for criminals to commit scams and we are aware from media reports that some scam texts are already in circulation.

“It’s important to remember that NHS Test and Trace will never ask you for financial details, PINs or banking passwords. They will also never visit your home.

“Whilst it is possible for criminals to fake official phone numbers, they cannot fake official website addresses. We would encourage anyone with concerns about a phone call, text message or email they have received, in relation to Test and Trace, to check the website address being provided to you carefully. If possible, type the official address, which will be https://contact-tracing.phe.gov.uk followed by unique characters given to you, directly into your browser.

“If you think you have been sent a scam message, please report it to Action Fraud.”

There is a similar situation with regard to assistance from HMRC and others, let alone Covid-related products, services and quizzes

The Chartered Trading Standards Institute was one of the first to publish a list of the scams under way.  The NCSC Advisory notice issued about the same time was more technical, describing the vectors used.

And there is more to come

UK benefit fraud from relaxing controls to expedite the relief of suffering has been estimated to have resulted in £1.5 billion of fraud already.  Some of the business support schemes are similar open to systemic fraud.  Meanwhile the use of Big Data and AI to target benefits on those who need them most is under attack by those who see the Digital Welfare State  as more of a threat than an opportunity.

As businesses emerge from lockdown they are beginning to discover the damage done to the physical premises of those who have not been taking precautions against fire, theft and “unauthorised occupation“.  I understand that the next meeting of the Digital Policy Alliance cybersecurity group will look at the need for co-operation between law enforcement and industry on guidance for handling  the “unauthorised occupation” of computer systems which the organisation thought were safe because they had been powered down when the users went into furlough.

Further reading

The Government guidance for SMEs and Consumers is here and that for Charities is here.  The easy way to notify suspicious e-mails for automated collation and action to block/take down the website to which they route traffic is here – although this is not the way to “report” if you have become a victim.

You might also wish to consider join the National Trading Standards Friends Against Scams  and taking their course