Bad Actors Have No Mercy

During this current COVID-19 crisis, we have learned that cyber criminals are increasingly deploying new attempts to scam people and businesses out of money or confidential/personal information to be used for identity theft.  Their creativity never ceases to amaze as they use lures based around information on the virus situation taking advantage of people wanting to know more or to help. 

We thought we would put a short list together of the tactics being used and how you can identify and protect yourself and your organizations from these scams.  All of them are based on Social Engineering tactics meant to deceive someone to act on an illegitimate request.  So how can you protect yourself and/or your organization during this difficult time?  Below are some of the more common scams currently taking place and protective measures you can take.  Please share this important information with others in your organization or with your family/friends.

1. General Technology Attacks

Phishing Emails, Texts and Redirection to Fake Websites related to COVID-19.

The Scam – The criminal is advertising misleading or fake treatments for COVID-19 or Personal Protective Equipment via emails, texts, fake advertisements, or websites.   Some emails claim to represent legitimate organizations and claim to provide updated information or directives.  These emails are sent to individuals or to organizations often from authoritative appearing organizations. The scam works in the following ways:

• The target clicks on a link or opens an attachment within an email and subsequently infects their device or computer with viruses or malware.
• The target places an order on the website or via email and the item never arrives.  The scammer pockets the money.
• The target orders an item that is touted as a preventative, treatment or cure and is none of them.  
• The unregulated product at best is useless and at worst is dangerous.

How to Protect Yourself – If it is too good to be true, it probably is.  

• If you receive an email from that claims to be from a legitimate organization go to their website or contact them directly, instead of using the information within the email.  
• If you are potentially interested in a product being touted as a treatment or cure, go to a legitimate source of information to research (physician, pharmacy, CDC website, etc.).   
• Do not respond to texts or open any links or attachments provided in the texts.  
• Also, if you belong to a neighborhood association (e.g. NextDoor App) don’t assume that all postings or claims are legitimate and be wary about clicking on any links or attachments within the post.  
• If a suspicious email is sent to your business email address, please contact your Cyber Security Department, Manager or Help Desk with the details without forwarding the actual email.

2. Fake Charities

Solicitation of Coronavirus relief and donations.

The Scam – There has been an uptick in recent activity in part due to the accelerating Coronavirus threat.   Scammers will either call or email unsuspecting people with donation pitches or on a legitimate sounding pretext.  

• They will either ask for your personal info or a debit/credit card number or ask you to click on a link or open an attachment within an email.   
• When you click on the link or open the attachment you risk infecting your device with malware or spyware.   
• If you provide your personal information or credit/debit card info during a phone call, you risk exposing your credit cards to bogus charges. 
• Even more worrisome is risking your bank accounts or become vulnerable to identity theft.

How to Protect Yourself – Either screen the call (do not answer) and review the message left or hang up right away.  

• If you do pick up the phone, do not answer YES, as the recording of your voice may be used to authorize bogus charges to you.   
• End the call as soon as possible and never provide any personal, financial or company specific information.
• Do not open unsolicited emails or if you do, avoid clicking on links or opening attachments. If your organization is contacted, do not provide specific contact or company specific information. 
• If a suspicious email is sent to your business email address, please contact your Cyber Security Department, Manager or Help Desk with the details without forwarding the actual email.

3. Money Mule/Fake Employer/Business Opportunities

Due to recent job losses and interruption of income streams these types of fraud abound.

The Scam – Fraudsters are taking advantage of the uncertainty and fear surrounding the COVID-19 pandemic to steal your money, access your personal and financial information, and use you as a mule or money launderer or purporting to hire for a specific position.

• A local woman was recently victimized by a company recruiting her to re-mail packages from a supplier and unwittingly served as a mule and potential money launderer. 
• These scenarios occur via online job postings and emails from individuals promising you easy money for little to no effort. 
• These cyber criminals frequently deploy emails, private messages, and phone calls and claim to be located abroad and in need of your financial support.

How to Protect Yourself – Be careful of individuals or entities communicating with you using general Gmail, Yahoo, or Hotmail accounts.  

• Do not agree to receive funds in your personal bank account and then “process” or “transfer” funds via wire transfer, ACH, mail, or money service businesses, such as Western Union or MoneyGram. 
• Do not open a new bank account for their behalf. 
• Be suspicious of individuals claiming to be overseas service members or are quarantined overseas and requesting money or transfer of funds.  
• Be wary also of individuals purporting to be in the medical equipment business and requesting funds.
• Be wary if you are asked to pay money upfront or provide your social security number for a job application.   
• If a suspicious email is sent to your business email address, please contact your Cyber Security Department, Manager or Help Desk with the details without forwarding the actual email.

4. Home or Office Visitors

Sales, maintenance, or other individuals show up unexpected.

The Scam – There has been an uptick in activity of suspicious visitors to both residences and companies.  

• They will claim to represent a legitimate organization or may be selling a product or service.   
• Due to reduced onsite company staff, they may show up at your company using a legitimate sounding pretext with the expectation of avoiding scrutiny.  
• In many cases they are either trying to obtain personal or company related information or trying to gain access to your physical domicile or facility for a variety of reasons.  

How to Protect Yourself – Be suspicious of unsolicited visitors pitching goods or services or claiming to represent a legitimate organization (e.g. CDC, FEMA etc). 

• Visitors to any company site would need to follow the established process for entry (e.g. badging, identification verification, visitor log, confirming the purpose of the visit with someone from the organization).
• If someone calls you or knocks on your door purporting to represent an organization or company that you may normally do business with, do not engage with them or let them in without identity verification.  
• Instead reach out directly via the company website or your contact info to a legitimate source for verification purposes.

5. Fake Promotions, Contests

Unsolicited notifications from unverified sources.

The Scam – You have received an email, postal mail or phone call that you have won a prize or contest, or you have received a package with a retailer gift card (usually $50).  

• The fake contest will often require you to pay an administrative fee up front or provide credit card information.  
• Once you provide that information the only thing you will receive is a bill for the administrative fee or fake credit card charges.   
• The package with the retailer gift card will be accompanied by a USB drive with instructions for you to plug in the drive to your device or computer and select items listed to redeem your card.  
• The only thing you will receive are viruses or malware that will infect and take over your machine.

How to Protect Yourself– If you didn’t enter a contest or order a product, then you didn’t win the contest.  Remember if it is too good to be true, then it is most likely a scam. 

• Don’t answer the phone, open the email or plug in a removable device that you did not order.  
• Enforce existing company policies regarding the use of removable storage, emails from unknown or unverified sources or requests to provide corporate sensitive information.  
• Provide Security Awareness training reminders to your organization on handling requests for information, information handling and acceptable use of devices.

6. Ongoing Tax Scams

Fake Tax Preparers.

The Scam – In recent years a new tactic has emerged, either fake emails from legitimate tax preparers (e.g. Turbo Tax, Tax Act) or the presence of new (but fraudulent) Tax Preparers. 

• The tax preparer promises gifts or incentives for using their services.  
• The fee may be based on the amount of the return or they promise a larger return than other preparers.  
• At the end of the day they will either pocket the fee and never file your return, steal your identity or return or file an erroneous or fraudulent return and leave you at the mercy of the IRS when challenged.

How to Protect Yourself – Only use legitimate and established Tax Preparation entities.

• Instead of responding to an email from Turbo Tax, go directly to the company website to establish an account. 
• If a tax preparer promises you a prize or a trip, walk away immediately.
• Legitimate preparers will not promise you any incentives. 
• File your return early to minimize the chance of a fraudulent or duplicate return filed. 
• Refer any organization calls, emails, or requests for information to the appropriate organization (e.g. Corporate Communications, Cyber Security, Help Desk etc.) without providing information.

7. Business Email Compromises (BEC)

Schemes Related to the COVID-19 Pandemic.

The Scam – Recently, there has been an increase in BEC frauds targeting municipalities purchasing personal protective equipment or other supplies needed in the fight against COVID-19.

• An email presumably from an authoritative source (executive management or a specific department or a supplier they normally do business with) is provided to the group responsible for disbursing payments.   
• The email looks authentic and may redirect the payer to a different bank account. 
• The payment is authorized, typically via a wire transfer without taking any validation steps.   
• Once the money is disbursed, it is often unrecoverable.

How to Protect Yourself/Your Organization – Use common sense that if something looks suspicious, it probably is and verify its authenticity.

• Look for spelling or grammatical errors or typos in the email addresses.  
• Do not click on any links in the email or open any attachments.  
• Look for unexplained urgency or changes to the disbursement instructions.
• Ensure the URL in emails is associated with the business it claims to be from.  
• Reach out independently and directly to the authorized person within your company requesting the payment to verify the voracity of the request.  
• Be suspicious of any vendor request for payment with different payment terms or changes to the bank account. 
• Reach out to the Vendor directly through the contact information on record. Send the content of the original email to the authorizing party.
• Verify that the request is legitimate and determine the appropriate action to take following confirmation.   
• If a suspicious email is sent to your business email address, please contact your Cyber Security Department, Manager or Help Desk with the details without forwarding the actual email.

For additional information please reach out to the following sources for authoritative data regarding COVID-19 or reporting scams.

• www.cdc.gov
• www.coronavirus.gov
• www.fbi.gov
• www.dhs.gov
• www.oig.ssa.gov
• www.irs.gov
• www.fema.gov