“Hello, this is Mariah from your IT department. We are undertaking a remote check of the systems, and I need to verify your password”. In the personal data sphere, this could lead to identity theft; in the private sector, it could result in loss of business or customer trust. But what happens when core government systems are compromised? Gaining access to personal and administrative data captured by core government systems could lead to adding ghost workers to payroll and other registries, redirecting vendor and benefits payments, potentially bilking the government out of millions of dollars.
Since COVID-19 emerged globally in March of 2020, we’ve seen governments innovating and adopting GovTech solutions to maintain business continuity, deliver services, share information with citizens and promptly respond to the pandemic. While technology has enabled remote work, remote schooling, and remote government, it has also provided entry points for fraud and corruption. As noted in the recent World Bank report Enhancing Government Effectiveness and Transparency: The Fight Against Corruption, GovTech provides opportunities to curb corruption but can also exacerbate fraud and corruption risks. Technology designed to support communications, planning, and tracking can be breached not only by hacking, but through social engineering, exploiting the vulnerability of people leading to improper and criminal behavior.
Social engineering ploys such as phishing, misinformation, SMS and spamming campaigns use emotional tactics to gain access to systems, personal and confidential information. These include email scams asking to send money, phishing emails and texts with embedded links to access personal data and tricks to redirect payments to the fraudsters or solicit ransoms. The prevalence of these attacks has increased at an alarming rate during the pandemic with governments, businesses, and schools operating remotely according to Interpol. Civil servants, citizens, businesspeople, and students have been amongst those targeted.
The size of the social engineering issue isn’t overstated. According to purplesec data, 98 percent of cyberattacks use social engineering techniques. In the face of the pandemic, COVID-19 themed cyberattacks were on the rise: in early March there was a spike to over 5 million daily incidents according to Microsoft. However, these vary by country. In the United Kingdom, there was a spike in incidents to about 7,000 daily attacks in March, while in the United States it was closer to 30,000 per day. Data show that near the beginning of April, the trends flattened averaging under 1 million daily incidents. However, new cases of COVID-19 themed attacks are again on the rise, exploiting the desire for information on vaccines.
The financial impact of these schemes is high for governments. In February, a Washington county government was the target of a social engineering incident valued at over $700,000. The impacts go beyond economic and financial losses to test the core governance principles of transparency, accountability and trust. In the GovTech space, keeping systems secure is critical to retaining trust of users and increasing uptake of e-services and citizen engagement platforms.
What can we do? The recently launched GovTech report highlights , several of which are particularly relevant in this context. While these risks are real, they can be managed, and their impacts minimized.
Build public awareness of social engineering techniques to teach the public how to identify these attacks that will reduce their success rate. The poor and vulnerable may not have access to the information or knowledge that leads them to recognize the scams.
Conduct ongoing training on cybersecurity to increase awareness of civil servants of potential vulnerabilities and be able to identify potential attacks and impacts. Simulations can provide hands on understanding. These training events should be done on a regular basis and updated as new threats arise.
Strengthen internal audit systems and institutions to manage real-time risks, attacks and check validity of transactions and modifications made to public financial management systems. These techniques may include data analytics, artificial intelligence and machine learning to red flag transactions or modifications.
Conduct in-house “red team” cybersecurity exercises to test vulnerability and response. Red team exercises check and assess cyber vulnerabilities by testing the security controls of a system that are already in place via simulation. One example was completed by GovTech Singapore.
Develop partnerships with research institutions, academia, technical training facilities, private sector, civil society, cybersecurity organizations and other GovTech agencies both locally and globally to develop and share knowledge on social engineering trends and impacts.
As we strengthen the tools and approaches to preventing and controlling corruption, there are people out there trying to find new ways to get around those rules.Change management and ongoing awareness campaigns can help stop social engineering schemes from getting past one’s inbox.