As the coronavirus pandemic gripped the world in March, phishing gangs began exploiting the public health crisis to extort login credentials and cold hard cash from frightened, grieving, sick people who had been newly locked down in their homes.
However, these morally bankrupt fraudsters reckoned without the public disgust their criminality would provoke, and thousands of phishing sites have been shut down as a direct result of information supplied to U.K. security services by an angry public.
A mass takedown began on April 21, when Britain's National Cyber Security Centre (NCSC) – the public-facing arm of Government Communications Headquarters (GCHQ), the U.K.'s security and signals intelligence organization – launched a reporting service to which members of the public could forward dubious-looking emails, many of which offered fake U.K. government help with COVID-19 issues, such as lockdown business loans, furlough information, and lockdown-easing cryptocurrency scams.
The NCSC's results have exceeded all its expectations: just 24 hours after the COVID-19 phishing hotline went live, it had received 5,151 suspect emails from the public, allowing the organization to take down 83 phishing sites. A week later, some 25,500 reports had been received, resulting in a total of 419 phishing sites being removed from the Internet.
Many more have gone since. Two months later, the NCSC was reporting that an astonishing 1 million suspect email reports have been received, reporting between them 10,200 different malicious URLs, and resulting in 3,485 criminal websites being taken down.
"This extraordinary response to our Suspicious Email Reporting Service is a credit to the British public, according to an NCSC spokesperson. "It sends a strong message to those seeking to exploit people's fears over the coronavirus that we are prepared to take them on and the public have joined us in this fight.
"The rate of reports to the service continues to increase as more and more people become aware of its existence and start to send reports. We're seeing the power of people spreading the message to their family and friends, and sharing information about the service on social media."
Other experts agree. "The number of reports here – that is, the active submissions by citizen reporters – are indeed impressive and, possibly, unprecedented," says Peter Cassidy, Secretary General of the Anti Phishing Working Group (APWG), in Cambridge, MA.
The APWG is a not-for-profit organization that assimilates phishing site information from security services worldwide to aid international cyber crimefighting operations, and works alongside the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) on similar antiphishing operations to those NCSC runs in the U.K.
Indeed, it was a joint communique from NCSC and CISA in early April that signaled the pandemic had been quietly emerging as the subject of a panoply of phishing attacks. In their missive, the organizations pointed to the advance registration of domain names using "coronavirus and COVID-19 related wording," plus webservers with the ability to distribute malware or ransomware when triggered by pandemic-response-related email lures.
On top of that, they had found early attacks were aimed at locked-down people working from home – perhaps using virtual private networks, say, and without the usual protections of corporate firewalls to stymie the phisher's malware and ransomware attacks.
That phishers were well-prepared ahead of a crisis does not surprise APWG, says Cassidy. "COVID-19 is the controversy of the moment and focuses the mind of the attacker on creating hooks that will lure users into their schemes," he says.
The first time APWG saw the use of a "public menace" as a phishing hook, Cassidy says, was with Hurricane Katrina, which hit New Orleans in August 2005. "Some 72 hours before Katrina made landfall, domain names had been set up with [phishing email] hooks seeking, for instance, charitable donations and selling disaster preparation schemes," says Cassidy.
Yet this time it appears that, through its fast response, alongside that of its colleagues at the City of London Police, NCSC were ahead of the curve, too, says <Alan Woodward, a professor of cybersecurity and digital forensics at the University of Surrey in Guildford, U.K. "NCSC et al were able to think ahead and prepare people. Heading the phishers off at the pass has been possible due to the cooperation of the public, and that is a really great development," he says.
"Building big pictures with user-supplied reports give much more data for the law enforcement agencies to target the scammers and pull their plugs before they do more damage than they otherwise would do."
Using publicly supplied information to fuel the extensive takedown is a powerful reminder of the power of crowdsourcing as a means of boosting computer security. Already, bug bounty sites like BugCrowd and HackerOne use extensive networks of freelance coders, developers, and UI/UX experts, each seeking significant cash rewards, to spot debilitating software vulnerabilities in deployed systems, user interfaces, software, and gadgets of many kinds.
Such bounties could be going further too: in late April, researchers at a global coterie of machine intelligence labs, including the Alan Turing Institute in London, the OpenAI consortium, and Google, issued a groundbreaking report on trustworthy AI, which in part proposed extending the idea of crowdsourced bounties to the latest bugbear of Big Tech: bias in artificial intelligence systems. Their idea is to pay users of AI-based systems to reveal when they spot discrimination at work in the algorithms. It would, of course, be called a "bias bounty."
Whether that expansion of crowdsourcing into the AI ethics space actually happens remains to be seen. In the meantime, observers say it is important that the success NCSC has in its COVID-19 crowdsourcing campaign is sustained when the phishers move on to their next attention-grabbing phishmail subject. "Hopefully people will remain aware after COVID-19 is all over, as future phishing campaigns won't necessarily have the same, single focus that those around COVID-19 do," says Woodward.
Help is at hand, as research into the human behaviors that allow phishing to succeed continues. One problem, highlighted in a recent investigation, is that even power users adamant they would never be fooled by a fake phisher's URL, are easily led astray. "Even heavy technology users are unable to accurately predict the destination of a clearly written URL," say University of Edinburgh researchers Sara Albakry, Kami Vaniea, and Maria Wolters in their CHI2020 research paper.
The APWG is participating in ambitious research proposed by a team led by Paul Wotters at La Trobe University in Melbourne, Australia, with the aim of identifying how "demographic variables, risk perception, browser knowledge, and cybersecurity knowledge determine people's likelihood to become phishing attack victims". The findings, says Cassidy, will fuel more science-led public education initiatives globally.
In the meantime, Cassidy concedes that sustaining public vigilance against phishing will be difficult indeed after the Earth-shaking event the COVID-19 pandemic has visited upon us all. "It's the key question," he says.
"People are at their best during the worst times."
Paul Marks is a technology journalist, writer, and editor based in London, U.K.