Australia’s COVID vaccinations a shot in the arm for cybercrime

A flood of new phone- and SMS-based scam losses reported by Telstra—and an anticipated surge as Australia’s COVID-19 vaccine rollout finally gets under way—highlight just how much scam-hit remote workers continue to be a thorn in CSOs’ sides.

Now that the seasonal spike of Valentine’s Day romance scams has passed—and based on the experience of countries where COVID-19 vaccinations have already been rolled out—cybersecurity experts are urging Australian companies to brace themselves for a surge in vaccine-related scams as Australia begins administering the long-awaited Pfizer jabs on 22 February 2021.

A “significant number” of new Australian domain names—more than 5,000 in the last two months—have already been registered “with a specific focus on vaccination”, said Michael Connory, CEO with security consultancy Security in Depth.

“We’ve been able to track and see the crime gangs specifically target the UK, USA, Canada, and other countries with rollouts, so we know [an Australian upsurge] is definitely coming. The initial focus is to try and harvest as many credentials as you can possibly get by recreating government websites and government type messages,” he said, warning Australian businesses to expect a surge in scam emails promising information about how to get vaccinated, ways to get the more-broadly efficacious Pfizer vaccine instead of the locally manufactured Oxford-AstraZeneca alternative, and other hot-button issues.

As usual, cybercriminals will be dutifully harvesting personal details and taking payments for purported queue-jumping, as well as the inevitable array of SMS, phone, and other email scams. And despite the fact that people should know better by now, Connory fully expects many will continue to get taken in by the scams. “We’ve been watching this happen over and over again in different forms for the past decade,” he said. “After a while, you just become jaded and a little frustrated.”

Yet Australians have been far less well-trained to deal with cyberthreats than they should be, a recent Proofpoint study found. In the Proofpoint study,  only 32% saying their users had been trained about how to deal with such attacks. Worse, the move to remote work, which 80% of respondents said has occurred in their companies, may be reducing the training provided to employees by business security teams.

“Ensuring users understand how to spot and report attempted cyberattacks is undeniably business-critical,” said Crispin Kerr, Proofpoint’s ANZ area vice president, “especially as teams continue to work remotely. While many organisations in Australia say they are delivering security awareness training to their employees, our data shows most are not doing enough.”

Despite blocking efforts, scammers fleeced $22 million from Australians just in January

Automation is helping Australian telecommunications giant Telstra block up to 500,000 scam calls per day, the company said. Part of Telstra’s Cleaner Pipes initiative, the newly launched service complements Telstra’s recent efforts around improving DNS-based filtering of malware traffic and a system to stop spoofing of SMS messages—is already blocking 1.5 million scam calls per week from reaching customers, or 6.5 million per month on average.

Despite its successes to date, “our efforts will always need to evolve to target new, creative tactics that scammers will use,” Telstra CEO Andy Penn wrote, “so no technology platform will ever stop scam calls entirely. Scammers operate on confidence and often victims are influenced to act quickly. If you buy yourself some time to think critically, then your chances of avoiding a scam are far better.”

Yet many Australians still aren’t thinking critically, succumbing in droves to scams through a range of channels that took more than $22 million from victims in January 2021 alone. That month, the government’s ScamWatch service received 19,845 reports of scams that included more than 6,000 phishing scams, 1,700 reports of identity theft, 1,300 online shopping scams, and just over 1,000 remote-access scams.

In-person scams had proven most effective—with just 131 reported incidents fleecing victims of $5.2 million in January. The 10,000 reported phone-based scams netted cybercriminals about $5 million during the same month.

That was just ahead of the $4.4 million lost to email scams and $2.8 million lost to social-networking scams, whose continued effectiveness highlights the challenge that companies continue to face in changing employees’ readiness to succumb to manipulation through a variety of channels.

“Cybercriminals and scammers have not failed to notice that millions of Australians are now much more dependent on technology, so cybercrime is on the rise,” Telstra noted.

Fewer Australians now trust online resources

Small wonder that Australians are becoming less trusting of online resources, with Okta’s latest Digital Trust Index report suggesting that 57% of Australians are more cautious about sharing personal data online since the COVID-19 pandemic drove a surge in cybercriminal activity.

Some 45% of respondents said they had become more wary of phishing emails since the pandemic began, while 43% were more cautious about data breaches and 37% were more aware of potential deception through the use of deepfake videos and photos.

But that awareness—and scepticism—is clearly not widespread enough, given the continued scammer successes on variations of the same old attacks. More user training remains in order.