This blog series is dedicated to sharing real-world stories of identity fraud and theft — and just how devastating these crimes can be on organizations, individuals, and families. Our latest post focuses on how the COVID-19 outbreak has spawned an entirely new set of frauds against consumers and businesses to capture personal information that can lead to outright theft.
At first, the hackers used news of the rapidly spreading coronavirus pandemic to target consumers — preying on individuals who were concerned about the virus’s spread by sending them bogus emails that claim to have the latest updates on the health scare. Attached to those emails were interactive links to webpages purportedly showing the number of cases within the readers’ local area, or to “miracle” cures for the disease. (According to The Federal Trade Commission (FTC) and U.S. Food and Drug Administration (FDA), there are “no vaccines, pills, potions, lotions, lozenges, or other prescription or over-the-counter products available to treat or cure coronavirus.”)
Instead, the recipients were redirected via malware to websites that steal valuable personal information.
In addition, according to the FTC, cyberthieves are “following the headlines” to create donation and investment websites for victim care, emergency response plans, or opportunities to invest in companies researching a cure for COVID-19. These sites may seem on the up and up but are designed solely to redirect your money — or equally valuable medical or financial information — into criminals’ pockets.
In the latest scheme, first reported by the Identity Theft Resource Center, employees are sent phishing emails that look like a company’s legitimate purchase order for facemasks or other high-demand medical supplies that can trick employees into transferring payments or credit card information to a fraudulent account. In a separate but just as underhanded a move, phishers are sending blast emails, texts or voice mails — that appear to come from a legitimate company account — asking for details about work-from-home (WFH) plans, as well as rescheduled conferences and events. These phishing tricks attempt to shake loose Personally Identifiable Information (PII) from trusting victims that can be used to set up phony bank or credit card accounts.
Furthermore, in what we’d file in the “What, is nothing sacred?” category, we’ve learned about a spate of phony job postings that are designed to recruit furloughed or laid-off workers to a fake coronavirus charity. After applying for the job, the fake “non-profit” will ask the job seeker to process donations made to the charity into their own account and then to transfer the money into another account — all before the bank can alert the individual of the fraudulent check and deposit. Fake job postings collect not only personal information such as name, address, and Social Security number, but also personal financial account information.
In a similar ruse, scammers disguising themselves as government and health organizations such as the World Health Organization (WHO) or the FTC are contacting individuals by email, asking them to visit a “protected” site — requiring personal information to set up a user account — to view safety tips. Or, they are trying to trick recipients into opening email attachments or are redirecting them to spoofed (or fake) websites and asking for financial details to make donations.
How to Avoid Getting a Cyberinfection
These coronavirus fraud stories highlight the need for businesses and individuals to take proactive steps to avoid being scammed:
- Don’t click on links from sources you don’t know or trust. There’s a cruel irony in saying they could download a nasty virus on your computer or device. And always be sure that your anti-malware and anti-virus software is kept up-to-date.
- If you receive purchase orders or product offers via email, verify the source before sending any sensitive information. Even with customers you know well, take a minute to confirm by phone or in-person visit that the order is coming to the correct person or organization. Be wary of sending credit card information or PII to anyone who you don’t authenticate in advance.
- Vet company sources of information before responding to information requests. A seemingly innocuous request for personal information that is attached to a work-from-home or scheduling plan or could be coming from a cyberthief. Be vigilant.
- Do your homework before contributing to any charities or participating in crowdfunding. Don’t let anyone rush you into donating. If someone wants donations in cash, by gift card, or by wiring money, don’t do it.
If you think you or your business have been victimized by coronavirus-related scams or identity theft, don’t hesitate to reach out to our team to learn more about how we can help protect all that you’ve built.