Coronavirus crisis brings rise in cybercrime

Cybercriminals are taking advantage of the COVID-19 crisis to attack our computers, tablets and smartphones and steal sensitive and personal data. Being at home during the lockdown means we are spending more time online and are thus more exposed to the risks involved. David Megías and Helena Rifà, expert researchers in cybersecurity at the Internet Interdisciplinary Institute (IN3) of the Universitat Oberta de Catalunya (UOC), have some practical advice to avoid falling prey to malicious internet activity during the coronavirus pandemic.

Crises provide opportunities to learn. In fact, in Chinese the concept is comprised of the ideograms for danger and for opportunity. But we don't always make the most of opportunities with good intentions. The current crisis could be a breeding ground for common malicious actions that spread online to claim even more victims, as people spend more time than usual on the internet. "Malicious campaigns work statistically. Authors know that there's a given number of users, albeit a small percentage, that will fall for it," said the UOC experts, adding, "Personal data has high value on the black market". These are some of the main reasons that both individual users and businesses should take precautions such as those below to prevent their devices and sensitive data from falling victim to the attacks that abound in these unstable times.  

1. Find out about the protection measures you can take. According to IN3 director David Megías, despite the fact that the public receives "information regarding the risks and vulnerabilities of connecting to the internet, they don't know enough about cybersecurity". One must remember that using a mobile phone for recreational purposes is not the same as handling sensitive company data from home, particularly if we are teleworking intensively. However, confinement is an ideal opportunity to learn good practices for safer browsing. Since one of the best ways to avoid risk is to have quality information, apart from learning from experts, we should consult the websites of official bodies that provide detailed information on cybersecurity. A case in point is the Internet User Security Office (OSI), run by the State Secretariat for Digitization and Artificial Intelligence of the Ministry of Economic Affairs and Digital Transformation, which has practical information on how to browse safely. In any case, Megías insists that "more practical training is needed for home users so that they can learn what options they have to protect themselves against risks."
2. Use strong passwords. "We must have strong passwords, not only to access our emails and sensitive applications such as banking apps, but also for when keys are set by default, for example, in Wi-Fi connections, passwords we must avoid keeping," specified Helena Rifà, director of the Joint University Master's Degree in Information and Communication Technology Security. The UOC professor and researcher warned that, although this is standard advice, vulnerability increases in the current situation and it is necessary to minimize risks.
3. Be aware of the most common malicious practices. These include phishing, which is the impersonation of a legitimate organization or company to request users' personal data. The aim may be from "selling databases with email addresses to even obtaining bank details, if they can get users to disclose them," said Megías. Another such practice is the use of ransomware: users receive a message containing a link that when clicked on initiates the download of a programme that renders the device unusable so that users cannot access their systems and files. A ransom must be paid to regain access.
4. Official bodies do not request details from users in emails. Email is usually only used for mass advertising campaigns and "is not the way personal information is requested," said Megías. "Organizations will never ask us for information using an electronic message with a simple reply here, since sensitive information is never sent in this way," added Rifà.
5. Don't trust emails from unknown senders. "We should be suspicious of emails from senders if we're not sure they are who they say they are," said Megías. According to the researcher, one of the best ways to make sure is to check that the email domain is the usual one, such as .es in the case of a State body, as opposed to .com or .org. "There are even malicious email addresses that have long numerical codes in their headers. Sometimes, if we look at the names that accompany suspicious email  addresses, they don't appear dangerous until we look into the real address they've come from, which has a bizarre alphanumeric format.
6. We must be aware that even though the anti-spam and anti-phishing filters on our email servers work just fine most of the time, they can fail and let the odd malicious mail through. "If, for every 100,000 users that receive a malicious message, only 1% fall into the trap, that's 1,000 users affected. We must realize that these types of attack are designed to target a large number of users," explained Megías.
7. Official market apps, like Google Play and the App Store, have been reviewed and are safe in theory. However, "if we download an app from outside the official market, we leave ourselves open to a malicious attack on our phone or tablet. If you're not sure, don't install any app that is not from an official store," cautioned Megías. "Sometimes, the same curiosity with which we surf the internet leads us to content or websites with interesting data, such as the evolution of the coronavirus in real time. They indicate below that there is an app that we can download to obtain more information, an app that we naively download, install and with which we give additional permissions to malicious actions that can seriously affect our devices," exemplified Rifà.
8. If we are teleworking, we must handle sensitive company data very carefully. The UOC researchers highlight organizations that do not usually work remotely and have not had time to implement an e-work development plan amongst their employees, so that they can consider how to reduce risks like cyberattacks to the minimum. "Attackers play on the lack of foresight in teleworking to  upload more malware to the web," said Rifà. Adapting and being prepared to take the necessary measures to prevent vulnerability in a short space of time is no easy task. "One of the major risks for companies is the data being handled. At this time, workers are accessing sensitive company information from their home computers, which, in many cases, do not meet the cybersecurity standards set by organizations, unlike the devices they use in the office," explained Megías.
9. When working for home, avoid making unnecessary copies of sensitive data. According to the UOC experts, we must take care when handling data in our professional activity and save it only exceptionally and temporarily on our home devices. As far as possible, avoid copying data on devices outside the company network, because they lack the security measures and protocols required by regulations such as the General Data Protection Regulation. The researchers give the example of personal and bank details handled by human resources departments.
10. Spreading fake news endangers our own cybersecurity and that of other users. Passing on disinformation on matters of general interest such as COVID-19 not only harms society but can also propagate malicious actions that contain this information. "Before passing on sensitive data, be on the alert, consult reliable sources and don't pass on anything that is unverified," warned Megías. For the UOC researchers this means that even websites with obvious names, with coronavirus in their URL, or  mutual support campaigns can be the focus of malicious action against cybersecurity. In the experts' opinion, the number one rule to follow, always, is "don't trust what you don't know and whose authenticity has not been confirmed".

UOC experts in cybersecurity

David Megías has been the director of the IN3, a UOC research centre, since 2019 and is one of the  experts involved in the Criminal Use of Information Hiding (CUIng) initiative, which works in cooperation with the Europol European Cybercrime Centre (EC3). He is also principal investigator of the K-riptography and Information Security for Open Networks (KISON) research group, of which Helena Rifà, professor at the Faculty of Computer Science, Multimedia and Telecommunications and director of the Joint University Master's Degree in Information and Communication Technology Security, is also a member.