Covid-19 quickly revealed shortages (and organizational) shortcomings that worried consumers, whether it was the availability of PPE supplies, medical treatments, or diagnostic tests. Each of these deficits provided criminals with hard to resist lures that continue to be used in phishing and malware campaigns.
"For a hacker the pandemic is like El Dorado,” said CyberScout founder Adam Levin. "Criminals are striking it rich because we’re distracted and scared.”
While the methods and tactics used by scammers vary (and evolve continuously), these are some of the most common tactics used by them:
Phishing Attacks Posing as Information from a Medical Authority
Since the early stages of the pandemic, one of the most common tactics used in phishing campaigns has been to pose as the World Health Organization, Center for Disease Control, and other official-sounding (sometimes fictional) agencies to trick targets into clicking tainted links or malware-laden attachments.
One email used the subject line: “Urgent letter from WHO: First human COVID-19 vaccine test/result update.” Recipients of the email were directed to opening an attachment disguised as a spreadsheet file. It contained malware.
“If you are contacted by a person or organization that appears to be WHO, verify their authenticity before responding,” warned the organization in an announcement. “The only call for donations WHO has issued is the COVID-19 Solidarity Response Fund…. Any other appeal for funding or donations that appears to be from WHO is a scam.”
Covid-19 “Cures” and “Tests”
While snake oil cures are nothing new, the Covid-19 pandemic has fostered a boom in phishing and malware schemes promising testing information, treatments, vaccines, home testing kits and other phony options designed to trigger a click reflex.
“The FDA advises consumers to be cautious of websites… selling products that claim to prevent, treat or cure COVID-19,” that agency advises on its website. As of the publication of this article, there is no FDA-approved cure or vaccine.
Several markets on the dark web have claimed to sell cures, vaccines, and even the blood and saliva from patients who have recovered from the virus. A survey conducted in April found 645 listings across 12 markets, with at least one bogus vaccine selling for $16,500.
There were more than 332,000 reported incidents of Medicare fraud in 2019 alone.
Since the Covid-19 pandemic, scammers have started offering Medicare beneficiaries home-test kits, hand sanitizer, and personal protective equipment. Law enforcement and government agencies have received widespread reports of fraudulent calls and in-person exploits taking place at a person’s home or at a pharmacy.
The tactics vary, but scammers will often use a victim’s Medicare number to bill the federal government for procedures and treatments that either never happened or that were unnecessary. Identification numbers are also used by identity thieves to trick a target into providing more sensitive personally identifying information, such as a Social Security number or access to the target’s finances.
“The fact that they get a phone call from somebody representing themselves to be from Medicare seems logical. Unfortunately the illogical part is when they ask you to supply Social Security information or financial information,” says Levin, who says the best thing to do is simply hang up on anyone claiming to be calling on behalf of Medicare.