They say necessity is the mother of invention. Unfortunately, it’s also a lure for opportunists looking to make a buck. And what better opportunity for online scams than a global pandemic? Sadly, COVID-19 is big business for those into online fraud.
The first few months of 2020 have been unlike anything most of us have experienced. COVID-19 drove most people inside to work from home, or get laid off, and spend a lot of time on our devices waiting for the world to return to usual.
One thing that is usual is that cybercriminals take advantage of people’s vulnerability and commit online fraud in clever ways. Bad actors have zeroed in on the things consumers are most desperate for: hand sanitizer, non-medical masks, novel coronavirus cures, immune system boosters, and more. They are using new traps for old scams.
More importantly, these are just the prelude to mass-scale attacks down the road once they’ve got your data. First, here’s how they get your credentials.
It’s true that need is high right now. Food banks, churches, and other community service organizations are scrambling to help people meet their needs. Bad actors are taking advantage of that to send emails to unsuspecting people that ask for donations.
It’s easy to set up an email with an organization’s logo and other identifying visuals. When you receive an unsolicited email asking something from you, the first thing to do is look at the website address. If it doesn’t match the corporate URL, it’s likely a scam. If you want to be sure, phone the organization and ask if emails are being sent for the stated purposes. You’ll likely find they aren’t.
Infosecurity magazine recently reported that a well-known malware called Trickbot is circulating via an email offering free COVID-19 tests. This old malware with a new lure represents 60,000 of the millions of phishing emails Microsoft stops daily. Google also claims to be blocking 240 million spam messages about COVID daily, and 18 million malware and phishing emails.
Fake COVID-19 tracking apps
What better way to infect your devices with malware than to get you to download something? Once you download the app, the malware collects your identification and other private data to send back to the fraudster. Your ID, banking information and other data can now be used for online fraud.
Microsoft reported a phishing email, supposedly from Johns Hopkins Hospital, with the subject line “WHO COVID-19 SITUATION REPORT.” When readers click on the attached files to see supposed infection rates throughout the U.S., a malicious Excel 4.0 macros downloads and runs the NetSupport Manager RAT. “NetSupport Manager is known for being abused by attackers to gain remote access and run commands on compromised machines, Microsoft posted on Twitter.
Phishing and fake apps are also vehicles for ransomware to take your data hostage in exchange for money. Bad actors freeze your data and won’t unlock it unless you pay.
Fake eCommerce sites
Medical and non-medical masks and hand sanitizers are frequently advertised online, but buyer beware. Even five-star ratings can be conjured up. Many of these sales sites are just a means to collect consumers’ payment information and addresses. Either goods are never received, or the goods are substandard or defective. Beware of offers for “home” test kits and unknown “miracle” cures or vaccines. They do not exist.
Government stimulus funds
There’s nothing like free money to get people excited, including bad actors. Consumers may get links in text messages to deposit the money once they enter their banking information, while others are offered immediate access to funds for a small fee. Register with the IRS (U.S.) or CRA (Canada) for direct deposit. And no, they won’t call you – that’s a scammer on the line.
Working from home
With many of us working from home, fraudsters are sending fake emails from the IT department. They may ask you to install an update for your computer or make a payment to a certain vendor to help them catch a fraudster.
Your employer’s IT department would never ask you to click a link to update your password. You’d have to log in, likely with two-step authentication, and make your changes directly on the system. If in doubt, check in with IT to be sure.
You might also prefer to use your personal computer while at home because it’s easier or more familiar. Don’t. Your work computer likely has a firewall and security software to prevent data breaches. In either case, when you do get genuine requests to update your apps and security, install them right away to stay safe.
Where your data goes
The story doesn’t stop at losing a few hundred dollars. This may be a trial run with your data to ensure its validity. Once fraudsters have used it for a few transactions, your credentials may be added to a growing database for sale on the dark web. Purchasers of your data will then use it for further financial crime or mass-scale attacks.
Attacks on financial institutions jumped 238 percent from the beginning of February to the end of April, according to VMware Carbon Black. The journalist compared spikes in attacks to significant news events: the first case of COVID in the U.S, the first reported death, and the day the WHO declared it a pandemic.
At NuData, we saw a 43 percent increase in high-risk traffic between January to April 2020 compared to the same period in 2019. High-risk account creation traffic grew by 300 percent just in March and April.