calypso77 - stock.adobe.com
Fraudsters adapt phishing scams to exploit cost-of-living crisis
Around 80,000 Brits a month are falling victim to phishing attacks as fraudsters switch up tactics to take advantage of cost-of-living crisis and behavioural changes prompted by pandemic
Fraudsters are adapting their tactics in response to the Covid-19 pandemic and cost-of-living crisis by exploiting those in difficult financial situations, with around 80,000 Brits a month falling for phishing attacks and supplying personal information, according to an Office for National Statistics (ONS) report.
Published on 26 September, the report found that while only 3% of suspected phishing message recipients replied or clicked on a link, this equated to roughly 700,000 people across England and Wales.
It also found that, of those who replied or clicked on a link, 11% provided information that could be used by fraudsters – equating to roughly 80,000 people.
The National Fraud Intelligence Bureau (NFIB) at City of London Police, which is the national policing lead on fraud, has also identified a rising trend of fraudsters promising energy bill and council tax rebates, or otherwise encouraging people to apply for a “cost-of-living payment”, in a way that mimics genuine government support packages.
For example, in the two weeks to 5 August, more than 1,500 reports were made to the Suspicious Emails Reporting Service (Sers) about scam emails pretending to be legitimate rebates from UK energy regulator Ofgem.
The NFIB has also noted a rise in reports involving scams where victims are targeted on WhatsApp by criminals pretending to be someone they know, typically their children.
“Phishing scams continue to pose a significant threat for both individuals and businesses,” said detective chief superintendent Oliver Shaw from City of London Police. “I would urge everyone to be vigilant of unexpected messages or calls that ask for your personal or financial information. Remember, your bank, or any official source, will never ask you to supply personal information via email or text message.”
Read more about phishing
- Researchers at Group-IB have published research on a major phishing campaign that ensnared victims at the likes of Cloudflare and Twilio.
- Iranian APT used multiple personas on a single email thread to convince targets of the legitimacy of its phishing lures.
- The National Cyber Security Centre is urging users to be on guard against phishing attacks during the period of national mourning for the Queen.
UK-based fraud prevention service Cifas said there is a “real concern due to the rise in living costs, criminals will look to target loan products and deferred credit services”.
Common campaigns Cifas has encountered include fraudsters posing as utility providers offering deals on energy bills, or competitions to win fuel vouchers.
“Fraudsters are using increasingly sophisticated methods to trick people into parting with their personal and financial information,” said Sandra Peaston, director of research and development at Cifas. “Checking to make sure the person or organisation is genuine, contacting them via their official website and using the check-a-website tool to make sure the site is safe are all ways to thwart a phishing attempt.”
The ONS added that there was also evidence of fraudsters taking advantage of widespread behavioural changes prompted by the pandemic, such as the rise in online shopping and the shift to remote work.
More than half of phishing victims reported, for example, that the message they received came from senders posing as delivery companies. The ONS further noted a ninefold increase in “advance fee fraud” (victims making upfront payments for goods or services which then do not materialise) and a 57% rise in “consumer and retail fraud” from pre-pandemic levels.
It added that fraud has generally increased 25% on pre-pandemic levels (to around 4.5 million offences) in the year to March 2022, nearly two-thirds of which was flagged as cyber-related.
“As the pandemic pushed more consumers towards online shopping and services, cyber criminals were hot on their heels,” said Marijus Briedis, chief technology officer at NordVPN. “A staggering 900% rise in advance fee fraud shows how adaptable cyber criminals have become. Covid-19 and the cost-of-living crisis have been honeypots for fraudsters, giving rise to increasingly cynical ploys to separate victims from their money.”
Increased vulnerability
In August 2022, a Verizon survey found that with the increase in hours, locations and devices employees are using, enterprises are now more vulnerable to a range of cyber attacks.
It found that major attacks were on the rise, with 45% of companies surveyed suffering a compromise in the past 12 months – up 22% year-on-year. Just over half (52%) said they had previously sacrificed the security of mobile devices, including internet of things devices, to “get the job done”.
In February, however, Proofpoint’s latest annual State of the phish report found that organisations in the UK are significantly more likely than the global average to sanction or punish employees who engage with either real or simulated phishing attacks.
UK organisations are also more likely to take severe actions, with 42% inflicting monetary penalties, versus 26% worldwide, and 29% going so far as to fire people based on their interactions with phishing attacks, versus 18% worldwide.
Faced with increasing phishing attacks, a total of 78% of UK organisations told Proofpoint they had needed to deal with at least one ransomware infection stemming from a direct email payload, second-stage malware delivery or exploit, of which 82% paid off their attackers to some degree. “A staggering amount of UK businesses experienced a phishing attack in 2021, and 91% of those attacks were successful,” said Adenike Cosgrove, international cyber security strategist at Proofpoint, at the time.
“Further, security professionals in the UK are the most likely to face high volumes of non-email-based social engineering attacks,” she said. “This compounds the fact that the UK is facing threats from all angles, however the key to battling these threats starts with employees.
“All of these attacks require human interaction to be successful, emphasising the need for increased employee security awareness and training. Compared with global counterparts, UK workers had the highest awareness of the term ‘phishing’, which is promising, but at only 62%, we still have a way to go to ensure businesses remain secure.”