You receive an email saying that due to COVID-19, a number of regularly scheduled meetings are moving to new dates and times. While hovering over the conveniently provided email link to your calendar, you notice the email address is unfamiliar—and you realize you’ve been targeted in another sophisticated phishing campaign. Welcome to an unwanted side effect of the global pandemic. Not only is it the largest public health and economic crisis of the past century, it has also turned into an unprecedented opportunity for cyber criminals to prey on both individuals and corporations.
Just as a leopard doesn’t change its spots, neither do cyber criminals. They are still employing their usual tactics—malicious emails, phone calls, text messages, and social media posts. Even as stay-at-home restrictions are beginning to ease, an anxious and still often shut-in audience gives these bad actors another method of attack: targeting both the heightened emotions and changed work situations that have resulted from COVID-19.
As in-person interactions decrease and digital ones increase, we are at greater risk of succumbing to scams in both our professional and personal lives. Recent announcements from business organizations, regulatory bodies, and law enforcement agencies spotlight the risks. Some examples include:
- In March, as the United States was beginning to issue stay-at-home orders, the Financial Crimes Enforcement Network (FinCEN) issued guidance encouraging financial institutions to remain alert for “malicious or fraudulent transactions similar to those that occur in the wake of natural disasters.” In particular, FinCEN noted it had seen a rise in imposter scams, investment scams, product scams, and insider trading, all related to COVID-19.
- The FBI has issued multiple COVID-19 alerts and warnings since the pandemic began and also has been working with private sector companies to disrupt online scams and take down bogus sites, including ones that impersonate government agencies, such as the World Health Organization.
- In mid-April, Google announced that during the previous week, almost 20% (18 million) of the more than 100 million malware and phishing emails it blocks each day were related to COVID-19 frauds. In addition, during that time period Google saw more than 240 million COVID-related spam messages each day.
- As of the end of May, the Federal Trade Commission (FTC) had received just over 55,500 reports of COVID-19 scams, ranging from travel scams to fake healthcare sites to COVID-19 related products. Not surprisingly, the larger states have the largest number of reported scams, with California, Florida, New York, and Texas topping the list.
Scams can run the gamut from large-scale fraud, such as the California healthcare union that unknowingly entered into a bogus deal to buy 39 million healthcare masks, to classic top executive scams in which an employee gets a message from a top executive requesting a wire transfer. Working from home and social distancing have exacerbated the conditions that cause us to succumb to cyber scams. Although we have been trained to be vigilant, during these unusual times, business and personal routines have been disrupted, which can lead us to do things outside our normal routines, such as initiate unusual or illegitimate financial transactions.
IT scams are also on the rise. An email request for a password might once have seemed unthinkable, but with technology staff working remotely, in today’s new normal, it can feel like a reasonable request to fix a cranky VPN connection. Similarly, with more people telecommuting, hackers are hoping large corporations will drop—or at least lower—their firewalls, making it easier to infiltrate networks and steal corporate data.
Our personal online activity is also increasing as we read the news more frequently; check in with family via Zoom, Facetime, and other platforms; contact government agencies that have moved solely online; and order groceries or other supplies. The more time we spend online, the more susceptible we are to fraud. Cyber criminals are capitalizing on our sense of loneliness and isolation. In what the National Consumer League compares to a “romance scam,” individuals are increasingly falling prey to fake advertisements for pet adoptions. Criminals know we have FOMO—whether it is a work email, a potential cure, a message from a friend, an opportunity to buy masks or adopt a pet, or information about a stimulus check—so they are combining tried-and-true methods with revamped approaches designed to get us to click a link, answer a phone call, or provide personal or financial information.
What can you do to help inoculate yourself and your colleagues from rampant COVID-19 fraud and scams?
- Make sure your organization continues to follow and enforce established policies, controls, and procedures. Clearly communicate current policies and best practices to all workers.
- Be wary of emails asking you to wire money or buy a gift card. If you receive a request that appears to be from an executive, call or text the named “sender” to confirm. Never seek confirmation through email, since a cyber criminal may have taken over the account.
- Watch for emails claiming to be from the Centers for Disease Control, the World Health Organization, or any of the other agencies supporting pandemic relief. Instead of clicking on a link in the email, navigate to the official website to read the latest updates.
- While you should always be wary of clicking on links in emails or texts, pay particular attention to those purporting to be from government bodies. Navigate to the organization’s site to confirm the official procedures that they are using to contact individuals. Similarly, do not respond to unsolicited voicemails from individuals claiming to be from an official agency. Instead, check the organization’s website for contact details.
- Hang up on robocalls. Scammers are using illegal robocalls to pitch fake health insurance, vaccines, and test kits.
- Use caution before donating to a charitable organization. Research the organization to confirm its legitimacy.
The COVID-19 crisis should not compromise our common sense. While our lowered defenses may make us more susceptible to an attack, following these simple cyber hygiene procedures will go a long way toward protecting ourselves and our organizations against costly frauds and scams.