More than 4,000 false Canadian government websites and email addresses taking advantage of the pandemic to try to mine personal data or steal money have reportedly been removed by the Canadian Centre for Cyber Security (CCCS).

Among sites taken down were some pretending to be the Public Health Agency of Canada or the Canada Revenue Agency.

The fraudulent websites are impersonating the government to “deliver fake Covid-19 exposure notification applications, designed to install malware on users’ devices,” broadcaster CBC quoted CCCS spokesman Evan Koronewski as saying.

The programs are created to steal personal information or money and since March 15 last year, around the time coronavirus was taking hold across the world, the centre has helped remove more than 4,000 such fraudulent sites and email addresses, he added.

“This work continues each and every day as we identify and remove more of these fraudulent domains,” he said.

The Canadian Anti-Fraud Centre says 8,583 Canadian were victims of a range of Covid-19 frauds in the ten months to 10 January. Scams include identity theft, ransomware attacks, and offering fake vaccines or test kits. In total, Covid-19 fraud has cost Canadians C$7m (US$5.5m, €4.5m). 

Meanwhile Florian Kerschbaum, an associate professor in the school of computer science and director of the cybersecurity and privacy institute at the University of Waterloo, Ontario, warned against fake Covid-19 apps despite Apple and Google being quick to remove offending ones.

“There are a lot of Covid apps which make false promises and basically just try to abuse your information and do strange things,” said Kerschbaum, who advised people not to download an Covid-19 app if they do not recognise the publisher. 

Scammers who make the apps are looking to steal people’s personal information and then sell it on the dark web, according to Arash Habibi Lashkari, an assistant professor and research co-ordinator at the University of New Brunswick’s Canadian Institute for Cybersecurity. 

Information like a person’s credit card number, full name and home address are valuable commodities, which could be sold to adware producers, used to steal someone’s identity or to put ransomware on their phone, encrypting it until the scammer is paid off, he said.