The coronavirus has opened up a variety of new opportunities for cybercriminals to exploit for profit or mischief.
Hackers are very resourceful. As a software company, we at Sigmund have come to understand how quickly hackers can adapt to changes in the outside world and leverage them into scams and larceny on the web.
And, if you haven’t noticed, we are currently experiencing some pretty significant changes.
COVID-19 has sent the world into:
- A frenzy
- A remote working environment
As far as cybersecurity goes, these two factors have given hackers a lot to work with.
The public is still adjusting to a disorienting new reality. Internet safety best practices are not necessarily at the forefront of everyone’s mind.
Exacerbating this is the mass exodus from corporate offices to work-from-home setups all over the globe. The workforce went from operating on protected networks and alongside IT departments to performing every work function at home on a personal computer.
In other words, our defenses are down and hackers are chomping at the bit.
As a result, we have identified 6 types of security scams related to COVID-19 to watch out for. Often, a basic awareness of the methods hackers use is enough to spot cyber deceptions and avoid them.
1) COVID-19 Scams Exploit Unemployment Realities
Hackers have taken advantage of the massive spike in unemployment due to COVID-19. In one reported scam, cybercriminals are emailing people fake work-from-home opportunities.
A lack of employment, and uncertainty surrounding when the next opportunity will arise, are rather potent vulnerabilities for hackers to exploit.
A timely job offer can seem like a saving grace to the unassuming or uneducated victim.
According to KnowBe4, the scam has innocuous beginnings. Victims are asked to complete basic errands at first. Eventually, though, they are instructed to transfer funds from one account to another.
In true hacker movie fashion, these funds are stolen. The victims effectively become money mules, for which they can face serious legal consequences, even if they weren’t aware of the crimes they are committing.
KnowBe4 notes that these email scams never provide sufficient information regarding the hiring company or position, and often contain grammar mistakes. If an unusual email doesn’t feel right, it probably isn’t.
This email scam falls under the “phishing’ category. Find more information on these types of scams and red flags to look out for here!
2) COVID-19 Scams Target Economic Relief Programs
Hackers were quick to take aim at various economic relief efforts spurred by the coronavirus as well.
For example, some cybercriminals targeted the economic impact payment process, taking advantage of the uncertainty surrounding when, if or how citizens received their stimulus checks.
The confusion gave hackers an opening for scams such as:
- Paying a fee to receive your stimulus check
- Paying a fee to expedite the delivery of your stimulus check
- Sending sensitive personal information, such as your bank account number, Social Security number or government benefits debit card account number, to receive your stimulus check
Before we move on, here are some tips on how to avoid such traps.
Some of these scams are easier to spot than others. The email in all lowercase letters from “Thomas Hanks” that’s demanding your date of birth and social security number? Definitely a scam.
But what if you get an email from the Federal Reserve, informing you that their economic protection program is up and running? The email contains a link to a website (with a convincing URL) where you can receive your payment.
You click on the link, which brings you to a very official-looking website, complete with COVID-19 infographics, financial assistance information, and an IRS FAQ page.
Oh, and there’s also info from the U.S. Paycheck Protection Program, FEMA, and the CDC on the site, as well as the logos of established banks that are participating in the endeavor.
Thanks to Inky, an anti-phishing software company, we know this was all fake.
However, to the untrained eye, or lesser cybersecurity technology, such a thorough scam could have easily ripped victims off.
If hackers are now laying more sophisticated traps like this, it’s more important than ever to transfer sensitive information through official, secure channels.
3) COVID-19 Scams Take Advantage of Contact Tracing Efforts
You may be familiar with “contact tracing” as a strategy to manage the risk of COVID-19. This standard disease control method consists of:
- Interviewing people who have tested positive for coronavirus
- Identifying people who have been in close contact with said positive individual
- Notifying those close contacts of their potential exposure to the coronavirus (and providing guidance on how to proceed safely)
In other words, it’s the practice of locating people who have been potentially exposed to COVID-19 and then advising and monitoring them until any threat of exposure is no longer a concern.
Contact tracers are real people, but they use a variety of communication technology to find and connect with people. Tracking people down during a quarantine must be done primarily by phone call, email, text message, or mobile application.
Therein lies the opportunity for scammers.
In one reported scam, victims received a text message notifying them that they had been in contact with someone who tested positive for COVID-19.
The text message contained a link to a website where victims are asked to enter their personal information. Unfortunately, it is a phony website designed to gather your information so that the fraudsters can commit identity theft and/or gain access to bank accounts.
If a real contact tracer attempts to contact you, it will certainly be done in a more official, comprehensive manner. Before you offer your personal info anywhere, it is important to corroborate the validity of the source.
4) Phony “Government-Issued” COVID-19 Tests, Vaccines, Miracle Cures
Cybercriminals took advantage of the limited availability of COVID-19 testing by “selling” fake tests online. These scams promised to deliver an effective at-home testing kit for a fee, or an exchange of personal information.
Currently, there are 5 companies that sell an authorized at-home coronavirus test:
If you get an email from any other vendors selling COVID-19 tests online, it is most likely a scam.
The safest way to go about getting a coronavirus test is to discuss it with your physician. They can provide you with valid avenues to go about a test.
Keep in mind that as we enter another month of quarantine, there are additional valid testing options available to you.
For example, CVS Health’s rapid drive-through testing sites have been established in over 30 states.
Legitimate COVID-19 testing opportunities are much more accessible than they were a few months ago. Don’t be too quick to trust one-off emails that conveniently arrive in your inbox.
In addition to tests, fraudsters also promised victims miracle cures and vaccines for the coronavirus in similar scams.
These shady efforts preyed on the public’s fears and paranoia regarding the coronavirus. Whether the emails offered secret vaccines that were being withheld by the government or a downloadable pandemic survival guide, scammers had the “perfect solution” for unsuspecting and worried victims.
When it comes to vaccines or treatment for COVID-19, you should only trust a healthcare professional or a reputable organization like the CDC.
5) Netflix COVID-19 Scams Unleashed on a Quarantined Public
I don’t know about you, but there has been a lot of Netflix going on in my socially distanced experience.
And it appears I am not the only one binge-watching – the company reported 15.8 million new subscriptions between January and March.
Scammers took advantage of this consumer trend and flooded the internet with phony ways to sign up for a Netflix account.
In one instance, victims were offered a Netflix “free pass” that required personal information to obtain.
The result? You guessed it – no free pass, only stolen info.
KnowBe4 notes that this particular scam asked victims to forward the deal to 10 friends. This is a strategy hackers use to disarm potential victims.
Someone may be wary of a great deal that arrives unexpectedly from a borderline suspicious account. However, if the free pass email comes from a friend, they are more likely to trust the deal and engage with it.
6) Hackers Target Email Communications Re: Coronavirus
In a remote work environment, organizations are relying on email more than ever to connect with employees, contacts, and customers.
For employees and consumers alike, inboxes have become stuffed with official statements, newsletters, COVID-19 updates and advice, webinars, and so on.
Such a flurry of online communication attracts and inspires hackers. They have tried, and will keep trying, to mimic these pandemic emails to steal whatever information they can get out of you.
As a result, watch out for coronavirus-themed emails that come from unexpected sources. That is not to say that all COVID-19 emails are dangerous, just that there is a higher chance a hacker has laid a trap in one of them at this time.
So, remember to exercise some caution when checking your inbox. If you open an email and something smells fishy, it probably does for a reason.
Similarly, could a single email or link possibly offer any news or information that could not be found elsewhere on the internet?
There is no reason to risk engaging with a random account or a dubiously constructed email. You always have the option to vet an email’s credibility through a secure web search.
A hacker’s success often relies on the victim opting for convenience over due diligence. You owe it to yourself to take the extra few minutes to confirm what you are seeing is real (or not real).
It is important to note that hackers have not limited their scope to phony outbound corporate emails. They are targeting internal communications within organizations as well.
For example, cybercriminals have taken notice of the COVID-19 conversations that businesses all over the world are currently having: When should we reopen? When will we return to the office? How should we go about it? How do I feel about it?
Many organizations have used survey services, such as SurveyMonkey, to informally crowdsource answers to these questions.
These types of emails often come from the HR or IT department, which hackers are very comfortable impersonating.
Phony surveys are sure to be up and running by the time you read this. Be sure to confirm it’s really your human coworker who sent you that Office Reopening Survey.
Internal email scams can appear more official, too.
KowBe4 has spotted a phishing email that appears to be from your organization’s “VP of Operations.”
The email contains a well-written message announcing a plan for reopening…which you just have to click on a link to view.
Clicking on the link brings you to a false Office365 login page. When you enter your username and password, it is collected by the hackers. Basically, you text them your credentials. Coldblooded.
Read up on how to identify these shady email tactics here!
COVID-19 Scams: Don’t Let Your Guard Down
This is by no means the definitive text on coronavirus security scams. However, let’s address two important things you can take away from this article:
A general knowledge of the strategies hackers are using to take advantage of victims during this time.
No two scams are the same, but they all share a few similarities. Some are better hidden than others, but any phony email will have a telltale sign. Furthermore, remember that hackers are preying on the fears of a public that is suffering through an unprecedented pandemic.
Cybercriminals are hoping to catch us at a bad moment when we’re prone to act irrationally or carelessly due to fear or any other difficult emotion COVID-19 is making us face.
An understanding that hackers adapt to external developments (cultural, financial, medical, etc) very quickly.
Like, almost immediately. It’s like these hackers don’t have anything better to do than hack. Cybercriminals are always changing the playing field, but that playing field is heavily influenced by the outside world.
We will continue monitoring this intersection of COVID-19 and cyber security because:
- We are a healthcare software company, it’s literally what we do
- Not everyone has the time or energy to read up on this stuff.
As the Content Writer for a healthcare software company, I have both of those things, so the least I can do is simplify and organize the latest in coronavirus cybercriminality for you.
If you want to stay up to date on COVID-19 security scams, or other topics involving healthcare IT and the pandemic, you may want to check out the Sigmund Software Blog.