Smishing and phishing – two things that should be squashed with the sombrero
Two weeks is a long time in Covid 19. The much lauded tracing app hasn’t moved beyond pilot although the manual tracing scheme was switched on (with some glitches) on 28 May 2020. The scheme is expected to be fully operational by the end of June although it is not clear when the app will be launched. 25,000 contact tracers are now part of the UK test, trace and isolate infrastructure that now seems a critical part of our route out of lockdown and we are told that the app has moved from the centre of this strategy to ‘the cherry on the top’. Reports from some of our clients in England are that the test scheme is working better than expected with tests and then the results being obtained within 24 hour periods and in my role as the Director of the Institute of AI I have been facilitating calls with legislators from around the globe to understand any lessons to be learned from the roll out of the app or broader tech to tackle Covid-19.
What does seem clear is that regardless of whether the tracing is manual or via tech, the speed of the roll out means that limited consideration has been given to the impact on human interactions and how criminals will exploit these vulnerabilities nor how employer rules on use of tech in the workplace will need to be adapted. Employer requirements such as that phones must all be stored in a central place may lead to significant numbers of factory floors being told to self-isolate unless carefully thought through once the app is launched. At the time of writing, the algorithm in the app assessing the risk of transmission mirrors the Government Covid safe guidelines for employers. Although it is early days yet, we can only hope that the human contact tracers will be working to the same parameters when assessing the risk of transmission. Beyond that, further tech solutions are also being rolled out such as devices that are worn and sound alarms when social distancing rules are broken or to monitor the use of hand sanitisers in the workplace. The potential for large amounts of personal data to be collected and processed by employers (or the third party tech providers) as the solutions are rolled out remains significant. While the world has changed to require or justify the collection of more personal data, GDPR still applies to any personal data collected together with its fining regime and liability to data subjects.
The other area that needs further attention is the potential for cyber fraud in the contact tracing scheme. The rise in fraudsters looking to capitalise on those working from home adapting to new processes and a range of distractions has grown significantly during the lockdown. The National Cyber Security Centre launched its #CyberAware campaign to combat the rise in cyber crime and the creation of the Suspicious Email Reporting Service. Since April, the NCSC has received half a million reports of suspicious emails and shut down nearly 1200 fraudulent websites. Phishing, where someone clicks on a link in a fraudulent email is one of the most common forms of a cyber attack. The contact tracing scheme whether delivered manually or via the app opens up yet more channels for cyber fraud. For employers, this means yet more avenues for cyber criminals to target their employees, data or infrastructure in unsophisticated ways, aided by the notification methods used by the contact tracing – using calls or SMS’s to contact those identified as potentially at risk from contracting the virus with the SMS requiring a link to be clicked in it is not high tech. The telephone number and link can both be easily spoofed. The phrase ‘smishing’ was rarely used pre-Covid but the contact tracing system will now allow seemingly genuine links to be sent by SMS to members of the public asking them to click on the link as this is the approach the official system uses. Links such as these were commonly used to trick individuals to sign up to extremely high cost subscription services. These kinds of fraudulent phone charges may be overlooked on large corporate accounts not set up to prevent such fraud. Perhaps more concerning is that such links also offer a cyber criminal an opportunity to trick individuals to download malware on corporate devices that can be used to access the broader corporate network and data.
As we return to work, employers are faced with the collection of more personal health data and their employees being asked to provide a wide variety of information to officials when contacted by contact tracers or those posing as contact tracers – in addition to the links they may be receiving on corporate devices. We recommend that companies address what they need to do to secure their networks from these channels of cyber attack now.
We have created a full guide on Cybersecurity, available to download here.
Share this blog
Emma Wright is a commercial technology partner
Share this Blog
- Adtech & martech
- Agile
- Artificial intelligence
- EBA outsourcing
- Brexit
- Cloud computing
- Complex & sensitive investigations
- Connectivity
- Cryptocurrencies & blockchain
- Cybersecurity
- Data analytics & big data
- Data breaches
- Data rights
- Digital commerce
- Digital content risk
- Digital health
- Digital media
- Digital infrastructure & telecoms
- Emerging businesses
- Financial services
- Fintech
- Gambling
- GDPR
- KLick DPO
- KLick Trade Mark
- Open banking
- Retail
- SMCR
- Software & services
- Sourcing
- Travel