When we set out to form a comprehensive understanding of today’s online scams, it wasn’t long before we found ourselves falling down a black hole of information. Our mission was to help spread public awareness on how COVID-19-inspired scams were just as prevalent as the virus itself. We didn’t want others to underestimate the burgeoning risks involved in their daily online lives. Ironically, we were sideswiped by the data ourselves.
This year’s “scamdemic”, a trending hashtag on social media, is appropriately labeled. Our research indicated in August alone, the US was hit with a second wave of scams when phishing emails spiked up 30%. New IP addresses with names related to “COVID-19” and “coronavirus” were registered daily. Fake emails guised as official correspondence from the WHO, CDC, and local and state healthcare officials continued to request sensitive personal information. Others received contact from state unemployment offices they never filed a claim with. Hackers were shutting down companies faster than the positive test results of a restaurant’s wait staff.
As we’ve adapted our lives’ daily operations, the way we work, or how we study, so have they. Increased usage of dating websites has led to increased romance scams. The isolation of social distancing generated a surge in demand for puppies, prompting rapid reports of online breeder scams. Hackers and scammers have had over six months to prepare and refine their tactics. All the resources we followed indicate there is a developing sophistication to their methods. We’ve identified 5 common gateways the coronavirus pandemic has left us vulnerable.
Fraudulent claims for unemployment benefits are on an incline. Previously we had heard about fraudulent unemployment assistance scams in states like California, Maryland, North Carolina and Washington. Another recent warning comes last month from the state of West Virginia where Scott Adkins, the acting commissioner of Workforce West Virginia, anticipates anywhere from 50,000 to 60,000 current claims in the state system are fraudulent. The latest in the string of scams was identified when scores of West Virginians received unemployment benefit cards in the mail they had never applied for. (A multi-step activation process prevented funds on the benefit cards from being accessed by any false claimants).
CARES Act/ Economic impact payments
The president of Central Virginia’s Better Business Bureau, Barry Moore, recently alerted Virginians of increased online romance scams. He suggested the government’s issuance of CARES Act and economic impact payments have inspired scammers to target those funds using a very personal scam method. In a traditional romance scam, a victim is privately messaged on a dating website or social media account by a scam artist who has created a fake profile using authentic photos taken from an actual profile. Reverse image search and paying close attention to grammar, misspellings and punctuation (many scammers are not native English speakers) are still the prescribed measures to avoid the heartbreak. “Ask that person some questions when they’re least expecting it because if they have it on their site and they stumble on their answers. Moore told Channel 6 Richmond News. “You can catch people up in things like this.”
Professionals working remotely
With professionals working from home during the pandemic comes the increased threat of phishing, ransomware and malware attacks. Scammers are using phishing emails to impersonate health officials such as the WHO or local health departments. New device ID addresses are being found with registered names that appear almost identical to actual organizations, with one character misspelled or a deviation of punctuation that is easy to miss at first quick glance. One recurring theme is with conferencing applications and software. A variety of scam communications have targeted Skype users. Fake Zoom meeting invitations with fake links are being sent, which prompt users to download access to a meeting, installing malware instead. Voice phishing or “vishing” scams are on the rise, most notably observed in July’s Twitter bitcoin scam, when tweets for bitcoin payment were issued from high-profile accounts including President Trump and Kanye West. Voice Phishing a communications scam currently impacting dozens of businesses in the US where hackers commonly pose as IT staff, calling employees to ask for passwords to internal tools. As in the case of Twitter, some carry knowledge of the company's internal processes and can be quite convincing.
Students learning remotely
The new school year is now starting and after months of scramble and preparation, some school districts and teachers are rolling out remote learning programs. Remote learners, particularly at the elementary grade levels, are being issued laptops for at-home studies. With this comes concerns that young virtual learners are at heightened risk. School-issued laptops typically work under the same server and have the same protections installed as those used in the school systems, but parents are still advised to be on guard. The Better Business Bureau reminds all parents to regularly look after young users, acknowledging more reports of online scams targeting children. Parents that become familiar with the software and technology their children are using can help identify potential security threats.
The reported scams include phishing email scams, targeted advertising scams, downloaded apps with recurring charges, unsafe file-sharing sites and deceptive contests and giveaways that collect personal information. Fake links to remote learning registration, school curriculums and even fake report cards to parents are other tactics to beware of. The National Cybersecurity Alliance offers a sensible list of tips parents can use as a resource for their K-12 learners.
Contact tracing phone calls
With the contact tracing program in full swing, imposters have seized on the opportunity by making outbound calls themselves, posing as individuals from the local health department. In one instance the Montana attorney general warned of how victims are advised that they have been in contact with someone who has tested positive for COVID-19, before insisting on collecting payment information. Since contact tracers also use text messaging, health department posers have adapted their own text messages alerts as well, adding links to download malware.
The FTC has warned that local health departments only send text messages to advise that they will be calling. Text messages should never include any links. Additional advisories remind us that legitimate phone callers will work diligently to collect information about symptoms and the names and contact information of anyone who you have come into physical contact with. They will not ask for any social security numbers or financial information. They will also not disclose the name of the person they believe you have been exposed to.
These aforementioned gateways are only some examples of scams that are trending now. The general advisory is to be aware of the increased risks that are posed by the coronavirus pandemic and to remain highly skeptical when receiving email communications from an unexpected source.
Fraud can also be reported to the FBI for law enforcement action.