TORONTO -- Online phishing attacks targeting webmail and other cloud-based services on the internet have increased since the start of the COVID-19 pandemic, according to a recent report by the non-profit Anti-Phishing Working Group (APWG).

Phishing is a common internet scam that uses technology to trick people into divulging private information. This can be achieved by using deceptive emails that are designed to lead people to fake websites and fool people into revealing data such as usernames and passwords. It can also work by planting malware onto a computer to steal credentials directly from the device.

In March, much of the global workforce shut down to help curb the spread of COVID-19, with many people transitioning to remote work from home. Since then, cyber security experts have been raising alarms that remote workers are particularly vulnerable to these types of phishing scams.

According to the APWG report, approximately 571,764 unique phishing websites were detected from July to September. Data submitted to APWG’s eCrime Exchange data repository indicates that in the third quarter of 2020, approximately 1,558 brands were targeted by phishing campaigns, as well as 367,287 phishing email subjects.

“Phishing attempts and fakes websites related to COVID-19 have risen as cyber criminals have taken advantage of the pandemic to infect devices and steal sensitive information,” a spokesperson for the Canadian Centre for Cyber Security told in a statement. “As many Canadians are working from home, protecting home networks and personal devices is more important than ever.”

According to the centre, cybercriminals have recently shifted their tactics, placing more resources into targeting larger and more financially lucrative targets.

“We have seen the average ransom demand increase 33 per cent since late 2019, to a current average of $111,605. There have been several high-profile cases where ransom demands have been in the millions,” the spokesperson said. “Canadians and Canadian organizations will almost certainly continue to face online fraud and attempts to steal personal, financial, and corporate information.”

The spokesperson said the centre has helped remove thousands of fraudulent websites and email addresses since March of this year, including websites impersonating the Canada Revenue Agency.

“While this work was primarily focused on COVID-19 related fraud, this work continues each and every day as we identify and remove more fraudulent domains impersonating the Government of Canada for any reason,” the spokesperson said.


The centre said that many of the threats they identified could be mitigated through increased awareness and by adopting some of their best practices regarding cyber security. They recommend using strong passphrases instead of short passwords, multi-factor authentication, and a protected DNS service that blocks malicious websites. 

The centre also suggested removing and deleting apps that are no longer needed and ensuring that all devices are using the most recent software available.

Businesses and organizations can protect their systems by using some of the centre’s baseline security controls. The centre encourages any Canadian businesses or organizations that suspect they have been targeted by cyber threat activity to contact local law enforcement.

“As Canadians adopt new technology and embrace more internet connected devices, the cyber threats will continue to grow.”