We’re living in strange times. The current pandemic and uncertainty about the future has us all stressed and concerned about our personal health and safety. On top of that, Coronavirus Disease 2019 (COVID-19) scams and misinformation abound.
You knew it was coming, especially with so many relief checks expected by individuals and businesses, and so many others in need. There’s no reason to compound our already shaky hold on security by leaving ourselves vulnerable to the inevitable opportunists who are waiting to misinform and fleece the unwary.
The Threats We Face as We Hunker Down in Isolation
Some scams are new twists on old exploits, such as phishing and spear phishing. Others appear to have been created just for the current crisis. What sort of activities are we talking about? The COVID-19 scams seem to fall under four general categories, with several variations of each.
Recommended for you: Top 10 Tips to Detect and Remove Phone Spy Software (Spyware).
1. Illegitimate health systems and organizations:
Scammers are setting up websites that mimic legit websites from the WHO and CDC as well as local hospitals and healthcare centers. Many are sending bulk emails telling people that their tests have come back or that they’ve been infected and instruct the recipient to follow a link for more information. If you’ve been tested, your doctor or the health services center will not tell you in an email or SMS.
2. Fake testing and “cures”:
There are hundreds of fake testing kits and “cures” being offered on the internet. Many are just re-labeled tests for other purposes and will not tell you if you have the Coronavirus. Others are just snake oil with little-to-no health benefits or are outright dangerous. The FDA has a list of known fakes here.
3. COVID-19 Financial scams:
Since before the IRS even solidified their stimulus plan, mobile apps and messaging systems were filled with fake “Get your money here” messages. There’s also a bumper crop of fake charities looking for “relief” donations, and they tell pretty believable sob stories to get you to part with your money.
For example, one Android app purported to be a real-time outbreak tracker. However, once downloaded and activated on mobile devices, it installed CovidLock ransomware on the victim’s phones.
4. Malicious websites and other platforms:
In addition to fake charities, there are fraudulent websites claiming to have the “latest information”, cures, testing facilities, and resources. What separates these from people just trying to provide information is a requirement that you create an account. When you create an account, they’re able to insert code that records keystrokes to steal login credentials, bank account or insurance information, and infect your computer with malware or spyware.
One additional tip for avoiding malware sites posing as health websites is to use a third-party tool like Sucuri to identify infected sites. Additional research by Canadian firm Privacy Canada shows that SSL/TLS powered VPNs can stop nefarious sites from interfering in secure data transfer,
“Before the connection is even made, the client and the server engage in what’s called a TLS handshake, where they agree on an encryption algorithm and cryptographic key beforehand. Because the algorithm is randomized, an eavesdropper or man-in-the-middle attacker will have a hard time intercepting any data.”
Newly created remote work infrastructure and networks that were hastily set up to allow people to work from home are prime targets for exploitation as well. They tend to be under or unsecured, with multiple attack surfaces exposed, and manned by people who aren’t used to operating in such an environment.
The International Corporation for Assigned Names and Numbers (ICANN) reports that there are hundreds of newly registered domains using COVID-19 and related words, many of which were set up as scam in order to take advantage of people in the current situation. You can find a list of resources, including agency-tracked Indicators of Compromise (IoCs) for mitigation and reporting fake websites, unsecured or compromised ISPs, and other COVID-related fraudulent cyber-activities here.
With so many nonprofits and government agencies reaching out to citizens with information and resources, it’s no surprise that fly-by-night operations and fake charities are popping up all over the internet.
Image source: us-cert.gov.
The question now is, what do you do to protect yourself?
Staying Safe from Cybercrime Scams in a Post-COVID-19 World
Plenty of people distrust their governments and news media in normal circumstances. However, when it comes to information about financial disbursements and medical advice, these institutions are the only relatively reliable, scam-free source of info at this time.
The Cybersecurity and Infrastructure Security Agency (CISA) has created a set of guidelines that are designed to help you avoid fraud and protect your information. You’re advised to be wary of any unsolicited emails or private messages and social media pleas for assistance, financial or otherwise, as well as offers of help.
Emails and messages may contain links to fake websites or wording that are meant to trick you into giving up personal information or donating money.
An example of a fake SMS for COVID relief. Image source: us-cert.gov.
You want to err on the side of caution in times like these by taking the following precautions:
1. Avoid Spam Links
Avoid clicking on links in unsolicited emails and be wary of email attachments. Make sure remote workers are trained and instructed to do the same. Common subject lines for scam emails include wording like:
- 2020 Coronavirus Updates.
- 2019-nCov: Coronavirus outbreak in your city (Emergency).
- 2019-nCov: New confirmed cases in your City.
An example of a fake CDC email. Image source: businessinsider.in.
2. Use Trusted Sources
Use only trusted sources for information and official websites to correspond with banks and government agencies. If you’re waiting for financial relief or tax refunds, or you need to make a claim, here are the links to official platforms in the US, UK, and Canada:
3. Avoid Sending Personal Data Online
Don’t provide any personal or financial information in emails or messages no matter who they’re intended for, and don’t respond to any email solicitations or links. Scammers are very good at creating legit-looking logos and subject lines, often addressing recipients by name. Valid government agencies and financial institutions will never ask you for login information or passwords.
If in doubt, don’t follow a link in the email. Visit the official agency or company website and log in from there. Take a screenshot of any potential phishing or spear-phishing attempts and report them. Financial platforms like PayPal want you to forward phishing emails directly to them. Check individual company policies and procedures for reporting fraud.
An example of a fake UK tax rebate. Image source: bbc.com.
4. Avoid Fake Donation & Pleas
Check the legitimacy of any charity before making donations. The US Federal Trade Commission keeps an updated list of known COVID-19 charity scams. Avoid online fundraising pleas unless the people involved are known to you personally. Even then, use caution.
5. Protect your Identity
Protect your identity, account information, location, and activity by installing a secure VPN on all of your networks and devices.
This final point is especially important.
With so much stimulus money and business loans available, fraud is a big concern. Since one of the main targets of hackers is health care systems, protecting your insurance information should also be a priority.
Systems are not yet down, but they’re becoming overburdened and unsafe. That means it’s up to you to protect your identity and information.
In addition to installing a VPN on networks and devices, follow these identity protection best practices:
- Use strong passwords of at least 15 characters long and include a mix of upper and lower-case letters, numbers, and symbols; you could also use a password manager or 2-factor authentication.
- Avoid using public WiFi networks; if you must use one for remote working, make sure your VPN is installed and properly configured.
- Change your social media settings to private or friends only; don’t put any personal information about health status or locations online.
- Avoid phishing or spear-phishing emails or video links sent via messaging.
- Don’t visit unsecured websites; as mentioned before, there are hundreds of shady COVID-related domains popping up. If the website doesn’t have https and a padlock icon before the URL. it’s not secure.
- Check your bank and credit card statements regularly for unusual activity.
- If your bank or other financial institution offers alerts for unusual activity, make sure to sign up or enable them.
- Make sure that your security software, firmware, and apps are up to date.
- Avoid installing any apps that are unsupported or that request permissions to access your camera, microphone, messaging, or contacts; if you already have such apps installed, delete them and run a malware scan on your device.
- Shred any documents that contain sensitive information.
You may also like: Cybersecurity Risk Assessment & Management Tips for Small Businesses.
Your feelings are probably ranging from fear to frustration and back again just dealing with this crisis on its surface. Don’t allow a fragile state of mind to leave you vulnerable to crime on top of COVID.
By knowing the COVID-19 scams that exist, as well as those that are likely to crop up in the near future, you can safeguard your sanity and finances from opportunistic criminals and scammers.