Digital payments deepen the threat of online fraud in Covid era
Simply sign up to the Cyber Security myFT Digest -- delivered directly to your inbox.
One of the many effects of the Covid-19 pandemic has been an acceleration of the rise of digital payments and the demise of cash, driven by social distancing measures and fears that the virus could linger for weeks on currency notes and coins.
In Europe, Germans are increasingly ditching cash for hygiene reasons, according to Initiative Deutsche Zahlungssysteme, a payment industry organisation. In the US, more than 50 per cent of consumers say they want to stop using cash in favour of debit cards, according to data from California-based Travis Credit Union.
This shift, which was already well under way before the pandemic struck, has deepened concerns about potential cyber security risks for consumers and businesses, as well as new kinds of fraud.
“You have no privacy when you use an online payment system. Your transactions are transparent in a way that they never were before,” says James Lewis, an expert in cyber security at the Center for Strategic and International Studies, a Washington-based think-tank.
The pandemic has quickened the pace towards digital payments, he adds. Mr Lewis pointed to data from Adobe’s Analytics Digital Economy Index unit showing that total US online spending in May — at the height of the first wave of lockdowns — reached $82.5bn, up 77 per cent from the same month a year earlier.
The risks attached to digital payments include hackers and scammers stealing bank account details, social security numbers and other personal information. Although data theft at the point of transaction is difficult, cyber criminals may instead look to access databases that contain credit- or debit-card information.
Online scammers have also altered their tactics during the pandemic — including instances of fraudulent online messages offering Covid-19 medical packages and relief payments. These scams ask individuals to verify their personal information such as passwords, accounts and other payment information, in order to steal money.
More than 900,000 spam messages, 700 malware attacks and 48,000 malicious domains were discovered in the first four months of 2020, according to an Interpol report — all mentioning coronavirus.
In the UK, scammers have called elderly people with offers of doing their shopping and then asking for their bank card details. Scam callers in Australia impersonated the country's energy regulator to offer them a reduction on the price of electricity due to the virus and subsequently asked victims for their bank information to deposit a refund.
The Internet of Things — everyday objects connected to the web whose numbers are estimated to grow from 22bn in 2018 to 50bn by 2030 — also creates opportunities for cyber thieves, according to Michael Christodoulides, an IoT expert at PA Consulting, a London-based management consultancy. Some of these devices not only contain personal data but are also capable of online transactions.
“The continued growth in contactless purchases, accelerated by health protection measures due to Covid-19, increases the onus on IoT vendors to engage with software developers and technologists to mitigate risk,” he adds.
Cyber criminals have also become more imaginative during the pandemic. Cifas, a UK-based fraud prevention organisation, identified an online scam in the shape of a quiz that appears to test people’s knowledge of the coronavirus but, in reality, gathers information linked with online transactions.
“We are seeing a lot of attacks that are targeting how people use digital payment systems, says Stephen Purser, head of core operations at the EU Agency for Cyber Security (Enisa) in Athens. “This is mainly phishing attacks and some of these attacks are being used to spread malware. The pandemic is . . . forcing people to use electronic means of payment for far more things than they did in the past.”
Many recent phishing attacks are exploiting confusion around the pandemic, he adds. In some instances, users receive emails asking them for donations for a relief fund, but when they open the file it infects their computer. Cyber criminals are also putting out false information about cures or remedies for the virus or even vaccination schemes, Mr Purser warns.
Paul Hampton, a senior payment expert at Thales, the French defence and technology group, says that mobile banking apps with multi-factor authentication are relatively safe. But he warns: “People should remain vigilant as we have seen criminals actively targeting people who are new to electronic banking and attempting to use the pandemic as a means to coerce people into installing fraudulent applications or visit fraudulent websites masquerading as their real bank.”
Mr Purser says fraud can be averted by consumers not saving their card details with an online retailer and staying away from “sketchy” websites. “A cheap product may end up costing you much more.”