Cybercrime: An Analysis of the Dual Threat Posed by the COVID-19 Pandemic

Technology plays an integral role in society, however it also enables nefarious individuals to engage in cybercrime. Cybercrime is a universal issue which has been heightened in recent weeks due to an increased dependency and reliance on computer and internet devices by members of society. Cybercrime is quite unique as it encompasses a wide range of  phenomena. Cybercrime comprises traditional offences such as fraud, forgery and identity theft and also includes crimes such as cyber terrorism, cyber-attacks, data-interferences, misuse of devices, copyright and child pornography. 

    Cybercriminals are now exploiting the “social, legal and psychological nuances associated with COVID-19. Sophisticated cybercriminals such as hackers are opportunistic, currently using the pandemic as their modus operandi by circulating fake advertisements and websites.

 

This article will investigate and outline the double threat posed by the COVID-19 pandemic. The dangers of the virus do not solely pertain to health and well-being, as the virus has simultaneously placed members of society at risk of being exposed to malicious actors committing cybercrime. Cybercriminals are taking advantage of this current period of unease to carry out criminal operations, which often target the most vulnerable in society. This article will also highlight how cybercrime has affected privacy and data protection rights from a technological and legal standpoint. 

 

 

II. Cybercrime

(i)    Emerging forms of cybercrime during the COVID-19 pandemic

Countries across the world are reporting a dramatic spike in cybercrime cases since the pandemic began. According to Interpol, there has been a marked increase in incidents being tailored around specific aspects of the pandemic in order to exploit unsuspecting victims and organisations. It has also been noted that cybercriminals have ‘evolved’ their tactics and strategies in order to be more successful in their criminal pursuits.

    Spam emails are often used to trick users into clicking on links which download malware onto the user’s computer or mobile device. Malicious software such as Ransomware, Trojan and Spyware are regularly used in order to compromise and interfere with computer systems. For example, it has been reported that there has been a significant increase in the number of attempted ransomware attacks by cybercriminals seeking to hold hospitals and other medical services digitally hostage by preventing them from accessing vital storage files until a ransom is paid. This type of criminal operation was executed on 13 March 2020 at Brno University Hospital in the Czech Republic. This cyberattack forced the hospital to postpone several important surgeries and send acute patients to a nearby hospital. As a result of this cyber incident, the entire IT department was forced to shut down, which had a critical impact on the well-being of its patients.

  Phishing is another technique regularly utilised by cybercriminals. Phishing is the fraudulent practice of inducing individuals to enter personal details on fake websites or emails. According to a recent report, Google registered 149,00 active phishing websites at the beginning of the COVID-19 Pandemic in January 2020. Since then, this number has increased to 522,000 active recorded websites in March. Similarly in Italy, the Polizia Postale which deals with cyberattacks, has reported an increase in cyber scams and fraudulent behaviour through the medium of fake ads, websites and emails.

III. Cybercrime and Technology Law

 The Council of Europe Convention, also referred to as the ‘Budapest Convention’ is the only legally binding international instrument on cybercrime. The convention outlines several substantive and procedural legal issues and has been viewed as being the “minimum threshold” in terms of standardising cybercrime. The Convention can be utilised by Member States to inform EU legislation on cybercrime such as the Council Framework Decision on Attacks against Information Systems, which is currently the only comprehensive instrument on cybercrime at EU level. The adoption of this Directive is significant as it was the first legislative EU act which harmonised the criminalisation of malicious actors involved in cybercrime. The Directive also outlines several offences which are referred to in the Budapest Convention. Furthermore, several international organisations are also trying to tackle the surge in criminal activity such as the UN and the Organisation for Economic Cooperation and Development. 

(i) Data Protection and Privacy Rights

One of the gravest threats that cybercrime poses concerns data protection and privacy rights. “New ways of computing, such as cloud computing are offering additional opportunities to perpetrate cybercrime, challenging data protection and privacy, as well as law enforcement agencies.” This has been an ongoing issue and has often led to individual’s suffering from personal data breaches and having their private information being used in deviant ways, such as identity theft. Since the beginning of the pandemic, Government officials have issued several statements advising the public to be vigilant and prudent when releasing any personal information on the internet. 

     Cybercrime threatens the right to private life and the right to personal data protection which are enshrined in the non-binding Universal Declaration of Human Rights (UDHR), The Charter of Fundamental rights of the EU ‘The Charter’ and The European Convention on Human Rights (ECHR). The ECtHR has acknowledged the importance of personal data protection, which falls within the ambit of Article 8 ECHR. This article pertains to the right for private and family life, the home and correspondence. The reference to the protection of private life is also laid outlined in Article 7 of the Charter. Article 8 ECHR provides that this right should not be interfered with except in cases where such an interference is in accordance with the law, pursues important public interests and is necessary in a democratic society. In the case of S. And Marper v. UK, the ECtHR stated that the protection of personal data is of fundamental importance to a person’s enjoyment of his right to respect for private and family life.

   It is evident that cybercrime endangers the privacy of individuals, thus cybercrime can have a potentially detrimental impact on human rights. The right to privacy and personal data protection is severely violated when individuals have personal information leaked as a result of a cyberattack as this constitutes an interference with their rights, (Flinkkilä and Others v. Finland,  Saaristo and Others v. Finland).

   Similarly, in terms of privacy rights, private life includes the privacy of communications, which covers the security and privacy of mail, telephone, e-mail and other forms of communication which include online information which was a addressed by the Court in Copland v. the United Kingdom. Therefore, the Covid-19 pandemic has shone a light on the importance of reconciling data protection and privacy rights with the prevention of cybercrime.

      As aforementioned, cybercrime spans a multitude of areas. Convention 108 was adopted by the Committee Ministers of the Council of Europe (CoE) and remains the only legally binding instrument in the data protection field. It protects individuals against abuses concerning the processing of personal data such as cybercriminals who hack into business systems and extract vital and personal information on the computer system for financial profit or leverage for blackmail and extortion. The use of personal data is increasingly becoming the most common type of cybercrime which is, “escalating beyond boundaries.”Personal data breaches and the threats to right to privacy are most visibly illustrated in cases where computer systems of businesses and organisations are compromised through cyberattacks.

    Whilst many businesses have resorted to permitting their employees to work remotely from home in response to the pandemic, companies and business should nonetheless be cognisant of the fact that cybercriminals are still operating on a daily basis. This has been emphasised by the NCSC in Ireland. The centre warns that, “the key threat to organisations during COVID-19 stem from the phishing, social-engineering and remote access threat.” and there has been a “sharp increase in malware that has COVID-19 themes.”

    There is now a reduced level of security for companies due to the rise in individuals using inferior security systems compared to the computer security systems available at their place of work. Cybercriminals will exploit this perceived opportunistic operational “gap”in security by defacing websites or modifying the documents. Malicious actors also have the ability to delete data, and disseminate misinformation. Cybercriminals using ransomware, enable these actors to exfiltrate data and formulate malicious encryptions. If a business or organisation refuses to pay the ‘hacker’ for the decryption key to retrieve the stolen information, this will often lead to the files being leaked on publicly accessible forums. For example, in the UK, businesses have been targeted in order to obtain large company files which are infected by malicious programs by hackers. These hackers often demand large financial payments in order for these businesses to retrieve them.

     The EU General Data Protection Regulation (2016/679) GDPRhas introduced a new mandatory obligation requiring businesses and organisations to report any personal data breaches to the local authorities. Notifications are advised to be made within 72 hours of the breach, otherwise the companies will be faced with paying hefty fines. British Airways was faced with paying an exorbitant fine of approximately £184 million, as a result of hacks which leaked customer data such as credit card bank details. This is an effective way to contain personal data breaches within businesses and organisations because these bodies are advised to report data breaches immediately. However, it is clear that in order to curb cyberattacks on a much broader scale, the implementation of new robust legislation is still required.

   Directive 2013/33/EU aims to combat these types of interferences to personal and private data. Several articles laid out in the Directive outline which elements constitute an interference with an individual’s rights. For example, in cases where there has been an illegal data interference and illegal data interception. During cyberattacks. Therefore, it can be surmised that human rights are also under threat by cybercriminals.

 

 

III. Vulnerable Cybercrime Targets in Society

Whilst the numbers of individuals being infected with COVID-19 have faltered in recent weeks, it is important that members of society remain vigilant and alert to the continuous threat of cyberattack, most notably towards the elderly and young children. There has been a dramatic increase in internet usage amidst the pandemic, due to the heavily imposed restrictions on social gatherings which require many individuals to work remotely from home. This has led to a spike in the use of electronic and internet devices. 

 

(i)    The Elderly

It is evident that the current pandemic is having a profound effect on society, the economy and public security. The most vulnerable in society are also being exploited and targeted in new and unprecedented ways, as criminals are capitalising on these vulnerabilities. Since the outset of the pandemic, the elderly have been placed in a difficult position, many have been forced to “cocoon” inside their homes and denied the possibility of being allowed to venture outside of their homes to purchase indispensable item. Therefore, many have resorted to purchasing products online. Senior citizens are also often less sensitised to online risks.Many cybercriminals have exploited this particular weakness and subsequently view it as an opportunity to gain financial profit and induce anxiety in their victims. Cybercriminals fake an array of services such as lottery scams, grant and relief payment messages pretending to have been issued by government agencies with logos and designs in order to dupe their target. These criminals give innocent people the false belief that they are providing credible and authentic services. Instead, they coerce individuals into divulging personal information using a false pretence.

    The Mauritian Cybercrime online reporting system, MAUCORS has reported recent cyber scamming activities such as ‘robocalls’ on popular applications such as Viber and Whatsaspp. In these cases, a victim receives a phone call from a sophisticated fraudster with the logo of their bank provider. The victim will be under the illusion that they are speaking to a respectable bank employee instead of nefarious stranger and thus, will openly discuss personal financial details over the phone.

 

(ii) Children

As aforementioned, the term ‘cybercrime’ can be interpreted in numerous ways. For example, online child pornography also falls within its parameters. Article 25 of Directive 2011/93/EU aims to combat sexual abuse and sexual exploitation of children and child pornography online. The Directive provides that Member States should take, “measures to ensure the prompt removal of web pages containing or disseminating child pornography hosted in their territory and to endeavour to obtain the removal of such pages hosted outside of their territory.” Member States have a positive obligation to protect a child’s right to respect for his/her private life. In terms of cybercrime, the principles set out in M.C v. Bulgaria address a Member State’s duty to intervene to protect the child’s physical integrity and right to a private life, as such positive obligations are laid out under Article 3 and 8 of the European Convention on Human Rights. 

     In relation to the COVID-19 pandemic, the risk of children being sexually exploited online has elevated dramatically in recent weeks. The principal reason is that children have been given more freedom online, which is often unsupervised. This abrupt shift in teaching from a school-setting to an online format  has placed young children in a very precarious position. Children are often unaware of the presence of malicious online predators who are capable of intercepting their computer system and gaining access to webcams. The UNODC has reported that users who are “less knowledgeable of threats… are more likely to take more risks whilst online at home, than they would at work or school.”According to James Smith, the head of penetration testing for cyber security firm Bridewell Consulting, “Malware can take control over the screen, webcam or microphone.”If a computer gets infected, several types of malware include features that enable it to listen, record and watch the owner of the electronic device. 

    The Global Initiative Against Transnational Organised Crime has also outlined the potential risks which young children are now faced with during the COVID-19 pandemic while using internet devices: when a system becomes compromised, this will often remain unnoticed by the victim and enables the criminal actor to establish and maintain long-term access to an account. Illegal webcam access and interference also ties in with privacy rights provided under Article 8 ECHR. The concept of private life includes elements relating to a person’s right to their image which was discussed in Sciacca v. Italy. Videos or photographs which contain a person’s image will also fall within the scope of Article 8 ECHR. In other words, a child is protected under Article 8 ECHR from a group or individual who records or photographs a child without his/her knowledge, Von Hannover v. Germany (no. 2) [GC]. This aspect is also relevant if this recorded material is stored on a website or forum.

      The internet is an essential learning tool, with many benefits for remote learning. E-schooling has been incorporated into the daily routine of many children and schools have warmly embraced this form of remote teaching. However, the national shift to e-school learning also potentially increases the risks to the user and the user’s safety.  An unsettling issue is that many parents and children are unaware of the dangers of engaging in the use of applications such as Zoom. 

     Google Hangouts and Zoom are often flawed as they do not require strong, two factor authentication passwords and can be easily intercepted. An example of the seriousness of this flaw occurred in March 2020 in Norway. A man was able to intercept the webcam of the popular videoconference application, which has been relied upon by many teaching institutions during the pandemic. This individual was able to gain access to a classroom discussion with young children and exposed himself to all of the young students via the webcam. This form of infiltration coined ‘Zoom Bombing”is a prime example of the dangers of using these types of applications, especially for young children.

VI. Recommendations 

 

The disruptive impact of the COVID-19 pandemic is reverberating throughout the world. The UNODC has advised governments and private sectors to prolong the use of public awareness campaigns about the increased risk of falling victim to cybercrime during the pandemic. In a recent interview with European Commissioner for Home Affairs, Ylva Johansson stated that cybercrime remains an area which often proves challenging to regulate. The Commissioner has also noted that the EU is “lagging behind in law enforcement and national security”in the struggle to combat cybercriminals preying on vulnerable individuals during the Covid-19 pandemic. The Commissioner also called for increasing the number of special trained forces for these types of cybercrime because having the requisite knowledge and expertise to identify and interpret these crimes is essential. The most effective method used to intercept this form of crime is early detection, thorough investigations and prosecuting the offences committed by criminals in order to bring justice to the victims and act as a form of deterrence for these cybercriminals. For example, the National Cyber Security Centre (NCSC) in the UK created the ‘Suspicious Email Reporting Service’ in April in order to detect emails claiming to offer services relating to the pandemic. Ciaran Martin, the chief officer hopes, “the success of the Suspicious Email Reporting Service will deter criminals from such scams.”

     The Commissioner also mentioned that “specialist counter-cybercrime law enforcement personnel have been diverted from investigating cybercrime offences to supporting government measures such as quarantine enforcement against the outbreak. This may have been a significant factor in the increased spike in cybercrime cases since the onset of the COVID-19 Pandemic. 

It is evident that this period of complexity and volatility provides a perfect landscape for the perpetration of cybercrime. The Covid-19 crisis has also severely limited the level of work that can be conducted by the courts. As a result, cybercriminals will not be prosecuted for their crimes for a significant period of time,  which renders the idea of engaging in this type of criminal activity even more attractive.

V. Conclusion 

 

Technology is ever-expanding, newly created devices can now track sleep patterns, heart rates and pinpoint an individual’s location throughout the day. These innovative developments should be paralleled with an evolution in technology law in order to apprehend criminals who intend to use these technological advancements in a deviant manner. The Covid-19 pandemic has further emphasised the prevalence of cybercrime in society today. Cybercrime is a complex and diverse problem which contains a cross-border element and makes this type of criminal activity even more dangerous as it transcends all borders and frontiers. 

    Malicious actors are often illusive and undetectable. In order to combat this, increased training is required to effectively prepare and equip police forces to quickly identify this form of criminal activity. It is imperative to tackle transnational organised cybercrime before it grows to epidemic proportions. In order to achieve this goal, cybercriminal networks and solo actors must be eliminated to avoid harmful consequences for the well-being and safety of members of society.

   Cybercriminals are adapting very quickly to the societal changes which have occurred since the beginning of the pandemic, thus legislation and policies to impede this behaviour should be adopted uniformly throughout the EU. The central issue is that new complex malware utilised by criminals are often difficult to detect and decipher. Therefore, cyber-security policies need to be developed ubiquitously in order to build a comprehensive cybercrime strategy. It is also essential that cybercrime policies are strengthened and cybersecurity measures are reinforced. The evolution and creation of cyber legislation within the technology law field should be implemented on both an EU and global level. 

    The transmission of information and intelligence should be shared collectively by cybercrime units in order to increase the likelihood of apprehending malicious actors. A report carried out by Europol, has suggested that there are considerable benefits in exchanging information regarding suspected cybercriminals. In turn, this would also reduce the possibility that these criminals would be held unaccountable for perpetration of their crimes.

   As the EU Commissioner for Home Affairs noted, the increase in cybercrime since the beginning of the pandemic underlines the need for extensive co-operation between Member States in order to combat this form of criminal activity. It is imperative that new methods are developed to deter these criminals and prevent cybercrime offences taking place in the future.