‘Cybercrime has been around for some time, but articles show that during the global COVID pandemic, rates of cyberthreats have risen 30,000 per cent’
On a typical day, Janet’s workday was very challenging and stressful, but today was off the charts. Not only was she preparing for her organization’s end year financials, but due to COVID-19, she was now dealing with sharing a dining room with her husband while they both worked from home, and also with her three children who were doing online learning. Imagine her frustration when she received an email, out of the blue from Robert (her CEO) basically demanding a payment be made to a new vendor of her company. At least in his email, Robert had asked how her three kids were doing with schooling online. Trying quickly just to get this task “off her plate”, she followed the somewhat unusual payment instructions Robert had given her and sent the $278,000 payment to the vendor.
It wasn’t until two days later when it was discovered that this vendor didn’t exist, and the entire payment was gone without a trace, did Janet and her organization realize that they had fallen victim to a Whaling Cyber Attack (a form of a cyber phishing attack). Janet, thinking back to the email, did think the request and instructions were a little odd, her CEO did include personal information about her, which made it seem completely legit. It looked so real, how was she to know? Shortly after this event, Janet was fired from her role.
Scams and cybercrime such as this happen on a daily basis across the country and the world. Imagine costing the company your work for $600,000 because you accidently type the organizational banking details into a fake online form or in an email to someone masquerading as a vendor. Imagine you click on an email attachment and your entire network and company data gets encrypted with ransomware and your organization not only has to pay to decrypt the data, but your organization suffers massive financial losses due to the time the operations were impacted. Studies have shown, that in 2020, 96 per cent of cyber security breaches were due to “human error”.
Cybercrime has been around for some time, but articles show that during the global COVID pandemic, rates of cyberthreats have risen 30,000 per cent. Cyber criminals’ prey on the fact that over the past year, many are working from home, distracted and generally over stressed. Utilizing psychological tactics such as placing urgency and risks to the employee within their phishing attacks, they pray on one’s vulnerabilities and convince people to follow their instructions.
Despite the fact that most cybercrimes are financially motivated, the emotional and psychological trauma in the aftermath of such attacks has rarely been brought to the surface. The financial losses of cybercrimes are obviously felt at a business level, but these types of crimes also greatly affect the individuals who fall victim to them. Following a cyber-attack, many of the victims report feeling traumatized, robbed, vulnerable, or scared an attack can happen again. Feelings of guilt and shame are often compounded when they are blamed by their organization, family members or society in general for falling victim to the attack/scam.
Impact of cybercrime on mental health
Cyber-attacks/scams come in many forms; from romance scams, to phishing attacks, ransomware attacks and more. Reports of financial, employment or data losses or other types of losses, such as personal data, can be not only significant but devastating. The information can be stolen and distributed so rapidly that intense feelings of helplessness and powerlessness are often experienced. Victims often have the out of control feeling, in turn, leading to more anxiety and feeling demoralized.
The emotional and psychological impact following the losses related to cybercrime can range from mild to severe and lead to symptoms of depression, anxiety, panic attacks, posttraumatic stress and even suicide. The mental health conditions are further exacerbated by numerous psychosocial losses related to finances, employment, family and/or relationships.
The invasion to one’s privacy that results from cyber-attacks also translates into grief.
Grief that results from cybercrime
The losses that result from cyber-attack as well as the invasion to one’s privacy all translate into grief. A grief that is not only felt through mixed emotions such as denial, anger, depression and anxiety but through the loss to the sense of self and to one’s role and identity. Grief is also felt through the loss in the form of distrust in oneself and distrust of others. The self can feel shattered.
The emotional, cognitive, behavioural, and physical symptoms of falling victim to a cybercrime include the followings:
- The emotional symptoms can include feeling depressed, sad, anxious, guilty, ashamed, demoralized, and anger. Common feelings can also include feeling betrayed, powerless, out of control and vulnerable.
- The cognitive symptoms can include negative appraisal of self, perceiving self as a failure or weak; reduced self-esteem and self-confidence; difficulty focusing or feeling scattered. Increased worry and negativity; fear for safety and feeling unsafe.
- The behavioural symptoms can include isolation; withdrawal; reduced interest in activities; increase in substance misuse such as drugs, caffeine, nicotine or unhealthy coping; increased food for comfort, difficulty falling or staying asleep or early morning awakening; and/or appetite changes.
- The physical symptoms can include headaches; muscle tension; aches; abdominal distress; eating more or less; and sleeping more or less.
Prevention at both organizational and individual levels
Firstly, organizations need to properly educate and train their employees on how to spot and stop various types of cyber-attacks. Regularly conducted cyber user awareness training, presented and practiced in an open and fair manner helps to prepare employees from spotting these types of frauds.
Organizations need to inform employees on a regular basis as well as when new cyber-attacks become known and steps on how to proceed if they witness or receive an unusual demand or activity. Repeated education around consulting first prior to responding or clicking an email or opening an attached document need to be provided on a regular occurrence. However, if an employee does click on a malicious link, or follow the instructions in a well-crafted phishing email, organization must remove the shaming mentality that many have if someone does accidently do something that puts the company in jeopardy. We have heard many stories from organizations in which their employees did not tell anyone after they clicked on an attachment because they were embarrassed, guilty or were afraid. It was some time later after the workplace systems were completely encrypted with Ransomware that the employees’ actions were known. We all make mistakes, and criminals are making it really hard to distinguish what is real and what is fake. We need to encourage our employees to let someone know as soon as possible if they think they’ve done something wrong.
Organizations must realize that during these challenging times of COVID-19, people are fatigued and distracted, making them easy targets for cybercriminals. Organizations should encourage their employees to “slow things down a little” and take a moment or two to really look at an email to determine if it might be phishing for information or asking them to follow instructions.
At the Individual level, here are some healthy coping strategies in the aftermath of cybercrime:
- Identify how you feel and your thoughts. Realize there are normal reactions and that you are not alone.
- Remind self of your positives, qualities, and achievements despite the loss related cybercrime and how your felt betrayed or robbed.
- Practice self-care by catching reframing your thoughts and balancing them; engaging in balanced diet and regular exercise; proper sleep hygiene; and setting meaningful activities.
- Avoid self-blaming. Put your time and energy into what you have control over; and use what you have learned constructively to better protect yourself.
- Gather proper support, resources, and services to ensure your safety and reduce the risk of being re-victimized.
- Practice self-compassion by being kind to yourself, not judging yourself, being mindful of your thoughts and feelings, and putting them into perspective; acknowledging and accepting that you are a human being and accepting the imperfections that comes with being human.
- Avoid substance misuse or any unhealthy coping.
- Seek social support. You might find it helpful to join support groups for victims of cybercrime or any victim support groups.
- Do not hesitate to seek professional help if you are experiencing increasing psychological distress; difficulty initiating tasks or taking care of responsibilities; chronic depressed mood, or excessive anxiety that is increasingly difficult to manage; lacking pleasure in activities; difficulties with sleep and/or concentration; or other psychological symptoms that might cause you concern.
Article co-authored by Dr. Katy Kamkar, Ph.D. and Ryan Duquette.