Cybercriminals have been busy during the Covid-19 pandemic. While phishing scams, malware, and data breaches were a constant threat to businesses and organizations before quarantines and work from home (WFH) measures, the overnight migration to a digital workplace is proving fertile ground for scams.
A recent study conducted by Google found that the number of websites online increased from roughly 150,000 in January 2020 to 522,000 in May. That is a 350 percent increase. The same report indicated at least 18 million Covid-19-related phishing and malware emails were being sent every day. These findings confirm a similar report that showed a 30,000% increase in Covid-19-themed attacks from January to March.
The scams have been effective. In April 2020 alone, the Federal Trade Commission announced that Covid-19-related scams had cost Americans at least $13.4 million.
While scammers use a wide variety of methods, the following are some of the more common subjects used to lure compromising clicks and other modes of attack used to target businesses, individuals, and organizations.
Covid-19 quickly revealed shortages (and organizational) shortcomings that worried consumers, whether it was the availability of PPE supplies, medical treatments, or diagnostic tests. Each of these deficits provided criminals with hard to resist lures that continue to be used in phishing and malware campaigns.
"For a hacker the pandemic is like El Dorado,” said CyberScout founder Adam Levin. "Criminals are striking it rich because we’re distracted and scared.”
While the methods and tactics used by scammers vary (and evolve continuously), these are some of the most common tactics used by them:
Phishing Attacks Posing as Information from a Medical Authority
Since the early stages of the pandemic, one of the most common tactics used in phishing campaigns has been to pose as the World Health Organization, Center for Disease Control, and other official-sounding (sometimes fictional) agencies to trick targets into clicking tainted links or malware-laden attachments.
One email used the subject line: “Urgent letter from WHO: First human COVID-19 vaccine test/result update.” Recipients of the email were directed to opening an attachment disguised as a spreadsheet file. It contained malware.
“If you are contacted by a person or organization that appears to be WHO, verify their authenticity before responding,” warned the organization in an announcement. “The only call for donations WHO has issued is the COVID-19 Solidarity Response Fund…. Any other appeal for funding or donations that appears to be from WHO is a scam.”
Covid-19 “Cures” and “Tests”
While snake oil cures are nothing new, the Covid-19 pandemic has fostered a boom in phishing and malware schemes promising testing information, treatments, vaccines, home testing kits and other phony options designed to trigger a click reflex.
“The FDA advises consumers to be cautious of websites… selling products that claim to prevent, treat or cure COVID-19,” that agency advises on its website. As of the publication of this article, there is no FDA-approved cure or vaccine.
Several markets on the dark web have claimed to sell cures, vaccines, and even the blood and saliva from patients who have recovered from the virus. A survey conducted in April found 645 listings across 12 markets, with at least one bogus vaccine selling for $16,500.
There were more than 332,000 reported incidents of Medicare fraud in 2019 alone.
Since the Covid-19 pandemic, scammers have started offering Medicare beneficiaries home-test kits, hand sanitizer, and personal protective equipment. Law enforcement and government agencies have received widespread reports of fraudulent calls and in-person exploits taking place at a person’s home or at a pharmacy.
The tactics vary, but scammers will often use a victim’s Medicare number to bill the federal government for procedures and treatments that either never happened or that were unnecessary. Identification numbers are also used by identity thieves to trick a target into providing more sensitive personally identifying information, such as a Social Security number or access to the target’s finances.
“The fact that they get a phone call from somebody representing themselves to be from Medicare seems logical. Unfortunately the illogical part is when they ask you to supply Social Security information or financial information,” says Levin, who says the best thing to do is simply hang up on anyone claiming to be calling on behalf of Medicare.
Scams Targeting Remote Workforces
The Covid-19 pandemic has led to millions of employees working remotely, often on less-secure devices and networks.
“The sudden shift from face-to-face office encounters to digital communication makes possible myriad scams that are tailor-made for a newly divided workforce,” says Levin.
A recent survey found that 49% of businesses expect to experience a data breach or security incident within the next month, with 40% of respondents admitting to cutting their cybersecurity budget as part of their response to the pandemic.
While businesses and organizations have long been targeted by widespread and sophisticated cybercrime campaigns, many familiar scams have taken on new Covid-19 related tacks.
As businesses have increasingly embraced videoconferencing as a method of communication, hackers haven’t missed a beat. Using fraudulent meeting invitations and emails, hackers are busy infecting computers with malware targeting an organization’s network and phishing for credentials or whatever else they can get.
One common approach is to direct users to “spoofed” (fake) domains and sites that look like Zoom, Microsoft Teams, and Google Classroom. Since mid-April, nearly 2,500 Zoom-related domain names were registered with thirty-two of them confirmed to be malicious. Another 320 were labeled “suspicious” by security researchers.
50,000 Microsoft Teams users were hit in two separate email campaigns targeting user credentials for Microsoft’s suite of Office 365 tools. Employees who received these emails were directed to a phony login page that captured their logins and passwords.
“The goal is simple,” says Levin. “Lure a potential victim into opening a malicious attachment sent via email, or trick them into clicking a link that lands them on a booby-trapped webpage.”
The army of employees now working from home and-or using shared internet connections has meant more virtual private networks (VPN). Between March 8 and March 22 alone, there was a 124% increase in the adoption of VPNs. Unfortunately, their widespread adoption has led to a number of suspicious, if not outright fraudulent applications and services claiming to provide a legitimate extra layer of security.
Where a phishing scam may have the ability to compromise a single account, a fake VPN app or account has the potential to siphon all of the internet traffic coming to or from a computer or a device, not to mention the possibility that it could install malware.
Free apps are a decent indicator of a potentially suspect VPN. Reviews and downloads are not reliable data points.
VPN Master - Free VPN Proxy, an app listed on the Google Play store had a high rating and over 100,000 downloads. Researchers discovered eight separate malware and adware variants on the platform. Another study of mostly “free” or low-cost VPN apps designed for the Android platform found that 82 percent attempted to access personal user data and 38 percent contained malware.
“Never use a ‘free’ VPN service. As with everything else online, if you’re not paying money for a product or service, you’re paying with your data,” says Levin.
Human resource departments and payroll services have been targeted by several variations of payroll scams since the pandemic began.
One of the most common methods deploys email from a spoofed domain sent to a manager or an HR department that links to a fake version of their payroll services website. Scammers capture their victim's login credentials and use them to access the real payroll accounts for companies.
Companies that have received loans through the federal Paycheck Protection Program or Economic Injury Disaster Loans have been a specific target of these scams.
“[W]hile you’re focused on getting a loan, scammers may be focused on you: hoping to trick you into giving them sensitive business information, like your bank account numbers, employees’ Social Security numbers, and even your money,” warns the FTC website.
Stimulus and Unemployment Scams
The response from federal, state, and local government agencies and organizations to support the economy during the pandemic created fertile ground for scammers. With tens of millions of newly jobless or furloughed Americans filing for unemployment benefits and the federal government paying individual stimulus checks to avert further economic crisis, criminals have been making a fortune.
The federal government’s stimulus program has created a lucrative opportunity for scammers to siphon money from their victims--often people in dire need of assistance.
"Americans with questions about how and when they’ll receive the checks will be more susceptible to scammers using robocalls, phishing emails and fake texts," Levin says.
One widespread tactic has been to contact recipients posing as an employee of the Internal Revenue Service, and asking for financial information needed to process payment. Other scams include directing victims to fraudulent websites to submit information to the IRS, or telling victims that an initial payment is required in order to receive the stimulus payment.
“Scammers are using these stimulus payments to try to rip people off. They might try to get you to pay a fee to get your stimulus payment. Or they might try to convince you to give them your Social Security number, bank account, or government benefits debit card account number,” warns the FTC.
A sophisticated fraud campaign has recently been uncovered and investigated by the Secret Service that may have netted tens of millions of dollars from state governments, money earmarked for the recently unemployed.
According to the agency, international criminals used personally identifying information to file fraudulent unemployment claims.
"Criminals will use stolen personally identifiable information... to file fraudulent state unemployment claims. Crooks will then use social engineering techniques to recruit unsuspecting individuals to launder illicitly obtained funds in order to conceal the identity, source and destination," said a spokesperson for the Secret Service.
While several states have been affected by the fraud campaign, Washington State has been the primary target. 400 of 2500 employees at a Washington university alone were targeted by fraudulent claims.
Job Listing Scams
While many scams specifically target remote employees during the Covid-19 pandemic, 30 million Americans who have filed for unemployment since mid-March have been actively targeted by fake job offers.
“Beware of work at home and mystery shopper ads. These are usually scams,” says Levin.
Victims are often contacted out of the blue and offered lucrative remote work positions, but are told they need to pay a fee for vetting or a background check, at which point they never hear from their new “employer” again.
In other cases, fake job offers are posted online by identity thieves looking for sensitive information that can be used to open new lines of credit in a victim’s name or deployed in other identity-related crimes.