As cities and states work on slowing the spread of the coronavirus by limiting where people can go, hackers are already prepped and eager to target unsuspecting and stressed-out victims.
Cyber criminals prey on vulnerable people as they seek out information and data to maximize revenue. These hackers are instead spreading malware through mobile phone apps and websites and threatening users with ransomware, which use malware as leverage for monetary payments.
Here are some measures you can take to avoid falling for their scams, according to Lisa Plaggemier, chief strategy officer at MediaPro, a Seattle-based provider of cybersecurity and privacy education.
- Look closely at email sender addresses
- Don’t click on links in emails – navigate to the site yourself
- If someone wants you to call a number in an email, look up the number yourself on the company’s website
- Be cautious opening attachments from people you don’t know
- Be suspicious if the message (vishing or phishing) has a sense of urgency
- The sender or caller is asking you to give personal information, a credit card, or a money transfer – be suspicious of all of those and call to verify
“The reality is no matter what specific examples of online scams you look at today, by tomorrow those will change,” she said. “Cybercriminals are quick and agile.”
Here are the top 15 coronavirus online scams to watch out for.
One of the earliest scams was an Android app, claiming to display a map of coronavirus cases and provide statistics of the spread of the disease, said Mike Weber, vice president at Coalfire Labs, a provider of cybersecurity advisory services in Westminster, Colorado. “In truth, that application was ransomware built for mobile phones," he said. "That application would change the phone password so that a user could not access their phone. It charged a nominal fee in Bitcoin, of course, to unlock the phone or reset the password back to what it was before.”
Another scam currently being used is a delivery of malware via coronavirus updates from common companies.
“I'm sure we've all seen emails come from companies that we do business with talking about how these organizations are dealing with this pandemic,” Weber said. “I recently received an email with a malicious attachment that claimed it was from a major health care provider and said that attachment contained their statement about the coronavirus and its implications. Clearly, that was not the case.”
The most common scams have used COVID-19-related lures to entice victims into interacting with malicious documents or URLs and will continue as the pandemic develops.
“Cybercriminals are well aware of the potential profit to be had preying on the fear and panic caused by COVID-19,” said Alex Guirakhoo, strategy and research analyst at Digital Shadows, a provider of digital risk protection solutions in San Francisco.
“In the past, cybercriminals have taken advantage of major global events, such as natural disasters, in similar ways, defrauding charities and impersonating legitimate health organizations like the Red Cross,” he said. “In times of crisis, it is, therefore, even more essential to be prudent and adhere to best practices to combat common social engineering techniques.”
Users should be wary of unsolicited emails that contain supposed links to infection maps or safety bulletins, solicit charitable donations or claim to be from authoritative organizations like the WHO or CDC. These can be used to steal personal and financial data, spread misinformation and install malware, Guirakhoo said.
Criminals are focused on exploiting the situation to their own gain as scams and hacks are on the rise, said Rui Lopes, engineering and technical support director at Panda Security, a provider of IT security solutions in Boston.
Phishing emails, text messages and spoofed sites, designed to look like official communications, can easily trick a nervous user to click a link they otherwise would avoid.
“In addition, social engineering attacks are seeking to obtain information from unsuspecting individuals, such as the elderly, by conning them into providing credit card info, social security numbers and more through illegitimate phone calls and voicemails,” he said.
3. Cures for Coronavirus
Fake websites that claim to offer information or treatments for coronavirus are another significant threat. The security industry has already uncovered one case in which hackers are using an interactive map of coronavirus infections created by Johns Hopkins University to trick people into landing on a malicious website. They are selling these ‘infection kits’ to other hackers in the Dark Web, said Karim Hijazi, CEO of Prevailion, a cyber intelligence company headquartered in Columbia, Maryland.
There are also a lot of different seller scams online, ranging from outright fraud to selling fake, substandard or unsafe items, phishing websites and fraudulent dealers who operate on legitimate platforms like Amazon (AMZN) - Get Amazon.com, Inc. Report, Walmart (WMT) - Get Walmart Inc. Report, Alibaba (BABA) - Get Alibaba Group Holding Ltd. Report and others.
“These individuals may rip you off completely or send you used, damaged, unsafe or misbranded products and they could also be used to steal your identity,” he said.
The FTC recently singled out seven companies for using fraudulent marketing practices to sell coronavirus-related goods, including former televangelist Jim Bakker’s show. The FDA has also warned about fake cures like sodium chlorite solutions, marketed under such names as “Miracle or Master Mineral Solution, Miracle Mineral Supplement, MMS, Chlorine Dioxide (CD) Protocol, and Water Purification Solution (WPS)."
4. Medical Information
Consumers need to stick to the official CDC and WHO data sites for medical information or information about COVID-19.
“There are a number of scam sites that either give the CDC and WHO numbers or try to overlay more, inaccurate data,” said Thomas Hatch, CTO and co-founder at SaltStack, a provider of intelligent IT automation software in Lehi, Utah. “Don't be tempted for data that is not out there or is not reliable. The CDC has a dashboard, Microsoft (MSFT) - Get Microsoft Corporation Report has a great dashboard and arcGIS has an amazing dashboard. Stick with the official, safe dashboards.”
The top risk to consumers and businesses is definitely from phishing scams that will try to impersonate the CDC, WHO and other agencies. By impersonating those agencies, as well as insurance companies and other organizations that are in some way affiliated with COVID-19, they will try to infect you with malware, hijack your online credentials and steal your money, said Hijazi.
“When it comes to financial theft, they will either do this directly, by trying to trick you into wiring funds to avoid insurance cancellation or to get an urgent shipment of badly needed items, or they will steal your card number and use it fraudulently,” he said.
5. Text Messages
More criminals will turn to text messages to carry out their phishing campaigns in what is known as ‘smishing.’ Federal officials are already warning of a fake text message that warns of a looming national mandatory quarantine. Kansas authorities have also issued an alert about a broad smishing scam that is sending out false information about local coronavirus infections.
“Consumers can expect to see more of these scams in the coming weeks and months as criminals will very likely use this platform to trick people into clicking a link, calling a phone number or installing an app,” said Hijazi.
“Any one of these will lead to information theft or financial fraud,” he said. “They will use a variety of pretexts, including local warnings about infections or quarantine notices of pending health insurance cancellation or claim denial.”
6. Financial Issues
Another attack that criminals may use may capitalize on the financial difficulties everyone is currently experiencing as well. With the current state of the stock market, people may be more susceptible to open malicious attachments if they come from an organization that they do business with.
“In years past, we've seen phishing attacks have success with Wells Fargo (WFC) - Get Wells Fargo & Company Report, Bank of America (BAC) - Get Bank of America Corp Report, and Chase Bank (JPM) - Get JPMorgan Chase & Co. Report scams, stating that their account had a change and tries to convince the user to follow a link to a website or to open an attachment,” Weber said. “As it stands now, I can tell you, I would be quite likely to open an email attachment that comes from one of my banks if they have potentially said in an email that, acting in my best interest, they have moved all of my investments to a much safer place.”
7. Stock Market Trading
The SEC has also warned of pump-and-dump scams for microcap stocks with the promoters claiming the company has a product or service that can either detect, treat, prevent or cure coronavirus. Given the wild fluctuations in the stock market as of late, we can expect these scams to increase in frequency and volume, Hijazi said.
“There are numerous organized groups which routinely carry out pump-and-dump schemes, so they have the technical skills and professional know-how to pull these off,” he said. “Investors who may not be susceptible to these scams under normal circumstances could find themselves getting tricked now because of all the uncertainty surrounding coronavirus. Investors should also be on the lookout for fake emails and notifications from mutual fund advisers and portfolio managers as it's likely hackers will try to prey on people’s fears of losing their investments and savings in the market turmoil.”
8. Donations to Non-Profit Organizations
There are the techniques that appeal to one’s charitable side. In times of trouble, there is typically an uptick in the number of scams requesting donations to help the needy.
“It's wise to be very suspicious of these invitations for charitable donations, and if it is not coming from a source that you have previously done business with and recognized, it's wise to avoid these unrequested solicitations,” Weber said.
9. Tax Payments
Expect to see coronavirus phishing email attempts using the tax season to steal identities and/or banking information. A good example is IRS Form W-2 scams intended to get workers to email other employees’ forms. The IRS has issued guidance on these types of scams.
“There is a lot of effort being exerted by threat actors across the globe to maximize revenue using the coronavirus to commit crime,” said Fausto Oliveira, principal security architect at Acceptto, a Portland, Oregon-based provider of continuous behavioral authentication. “Individuals and organizations should exert extra vigilance and avoid opening emails, websites or answering calls that come from threat actors pretending to be official authorities. Information should be accessed using well known, official websites, such as IRS.gov.”
10. Working Remotely
COVID-19 is forcing many businesses to consider how they can swiftly enable a remote workforce and do so in a safe and responsible manner. Workers remaining at home or possibly stuck in a remote location are going to be heavily dependent on their mobile devices, said Chris Hazelton, director of security solutions at Lookout, a provider of mobile phishing solutions in San Francisco.
Mobile attacks are particularly effective because they often trigger immediate responses from recipients — instant communication platforms such as SMS, iMessage, WhatsApp, WeChat and others.
“In fact, I know someone who received a smishing message that said "First Coronavirus detection in Boston. Click here for updates,” he said.
Organizations should make sure that their employees' devices are not running outdated and vulnerable operating systems or applications and that unauthorized software is not installed, as these can put the security of the device and corporate data at risk,” Hazelton said.
Companies are not prepared to have so many employees work from home, said Jason Glassberg, co-founder of Casaba Security, a cybersecurity and ethical hacking headquartered in Redmond, Washington. These employees are going to be at a higher risk of getting hacked and scammed because they are outside of the office and the company’s firewall.
“Home WiFi networks are typically insecure with weak password protection and vulnerabilities in the devices themselves,” he said. “People will also be connecting to their offices via remote desktop tools, which can be hacked or hijacked. In fact, there are many places on the Dark Web that sell stolen remote desktop credentials.”
When people are away from the office, they are more susceptible to business email compromise and other social engineering attacks.
“The hacker pretends to be the company’s CEO or another employee and tricks the person into conducting a wire transfer or sharing online credentials,” Glassberg said. “I have no doubt we are going to see data breaches and wire transfer fraud as a result of this outbreak.”
The most common type of attack is a phishing-style cyberattack where an attacker sends an email to a remote workforce while pretending to be their IT manager, said Arun Kothanath, chief security strategist at Clango, a cybersecurity advisory firm in Arlington, Virginia. The email will typically ask employees to sign in to an online portal using their credentials to ensure they still have access to a business-critical resource.
“Attackers will capture those credentials and then can move laterally and vertically throughout an organization until they capture the data or access they desire,” he said. “Organizations without a privileged access management program that can recognize and terminate abnormal identity-behavior will be especially vulnerable to this type of attack.”
Another type of cyberattack that has become more frequent in recent weeks is a social engineering cyber attack. This is where an attacker, masquerading as a frustrated remote employee who cannot access business-critical systems, will contact an IT administrator or help desk technician and request access to sensitive data, infrastructure or assets, Kothanath said.
“Organizations without an Identity and Access Management (IAM) program that has clear access provisioning policies or processes could find themselves accidentally granting a malicious actor access to their most sensitive data,” he said.
11. Hospitality and Travel-Related Issues
Many people are inundated by emails from hotels, restaurants, travel providers and airlines giving input on the measures that they are taking to combat the virus.
“Our appetite for information is vast and cybercriminals know this so there may be attachments or links offering further details or information and encouraging us to click before we think,” said Steve Durbin, managing director of the Information Security Forum, an authority on cyber, information security and risk management in London. “The hospitality industry is especially vulnerable at this time and very few communications with such links or attachments will be anything other than scams and they should be avoided.”
12. Employment Issues
"My company is also monitoring one prominent cybercriminal group that has been carrying out an extensive phishing campaign which uses weaponized curriculum vitae to attack various companies," said Hijazi.
“This campaign started in the summer, so it pre-dates the COVID-19 outbreak, but since we may be headed into a recession and many companies are already having to lay off or furlough their workers, we expect fake CV phishing attacks to increase considerably,” he said. “These will catch many businesses by surprise, and could lead to full account compromises and network breaches.”
13. Online Lies
Online misinformation is another big issue and this is proliferating across the web with fake news or special interest sites, foreign adversary news organizations like Iran’s Press TV, as well as on the major social media platforms, Hijazi said.
“The tech companies are making efforts to crack down on coronavirus-related misinformation and scams, but they're having a hard time controlling it,” he said. “There is often no clear motive for the misinformation, although it is suspected that U.S. adversaries like Russia are involved in order to spread panic throughout the country and sow divisions within our communities.”
14. Call Centers
Criminal call centers are another very real risk. These are often professional operations and it can be difficult to tell they’re malicious, said Glassberg.
“They may even have personal information about the victims they are contacting since there is so much stolen data available in the Dark Web,” he said. “Criminal groups may run their own call centers or rent these services from other providers. They can be very sophisticated at manipulating their victims.”
Cybercriminals move fast on public calamities because they know they only have a limited amount of time to make their money, so right now is the perfect time to strike.
“We don’t know how long the coronavirus epidemic will last, as it appears to already be on the wane in China, so criminals need to cash in quickly,” Glassberg said.
15. Capitalizing on Fear
Attackers and hostile actors are capitalizing on the fear and frenzy generated by the coronavirus pandemic. Cybercriminals will continue to use people's fear against them, “enticing them to click on links spreading disinformation or for financially motivated purposes,” said Jack Mannino, CEO at nVisium, an application security provider in Herndon, Virginia.
“An influx of fake medical products, supplies, and fraudulent charities have hit the internet over the past few weeks,” he said. “During a crisis, the integrity and availability of critical systems is heightened. Expect to see ransomware attacks against hospitals and medical institutions increase, based on opportunism and the ability to cause maximum chaos during a time of crisis.”