Fraudsters are known to thrive in time of crisis and major events, and the current COVID-19 pandemic is no exception. What has made this crisis different from previous events is the immediate and rapid impact it has had on the cybercrime economy with criminals leaving no stone unturned. Following are the many scams RSA® has identified along with security best practices as we see a growing surge in fraud attempts.
- Account Takeover
Account takeover is a scam that RSA has reported on extensively, in which fraudsters leverage stolen credentials from data breaches to take over consumer accounts. In today's environment, knowing that children around the world are out of school, fraudsters are reaching out to kids directly in hopes of gaining access to their gaming and other online accounts. I had a personal experience just this past weekend where my 12-year-old nephew unwittingly gave his Xbox login to an "online friend" who promised to upgrade his account. Instead, his new "friend" took over the account, changed the password and made off with hundreds of dollars in purchases that were charged to the credit card on file. A valuable lesson I suggest you add to your child's remote learning and cybersecurity agenda: Don't ever give personal information out to people online.
There's no shortage of phishing scams that take advantage of fears of COVID-19, but among the most egregious examples RSA has identified are phishing emails purporting to come from the World Health Organization (WHO). Preying on fear is a common phishing tactic, but it's one thing to prey on someone's fear of having their identity stolen or their credit ruined – and quite another to prey on their fear of a new, sometimes deadly disease. In one example, the fraudster poses as a WHO physician offering to share information on safety measures to protect against the global health pandemic. Clicking on the link in the email results in malware being installed to collect private information from the recipient's device, establish remote access to the device or steal address book information to send more emails to the recipient's friends. (NOTE: The World Health Organization is aware of these types of activities and has posted cautionary information on its website, including how to recognize fake return email addresses and links.)
What do online bank accounts and COVID-19 have in common? Not much, unless you're a fraudster like the one who sent a bank's customers an email advising them to call the bank to resolve a missed payment. It was for the most part a typical ploy – except that it also included the line "If your financial situation has been impacted by COVID-19, please call us to discuss options…" The email then provided a VoIP (as in "v" for "vishing") phone number to call instead of a link to click. In the guise of being helpful, this scammer dropped a powerful lure to recipients who may have lost income or otherwise suffered financially from the current pandemic. While vishing attacks usually involve an unsolicited VoIP phone call from someone appearing to represent a bank or some other organization, this newer type of attack, dubbed reverse vishing, uses emails, online ads or social media posts to persuade potential victims to call a phone number that is controlled by the fraudster.
A smishing attack is a phishing attack that uses SMS texts instead of email messages to carry out the attack. Fraudsters are now adding a coronavirus twist to this type of tried-and-true scam. In one case, someone claiming to be from the HMRC, the U.K. tax entity (comparable to the IRS in the U.S.) advises of "a goodwill payment" that is supposedly part of the government's effort to fight COVID-19. Other common ones popping up are part of a recent fraud trend involving loyalty points, in which a text that claims to come from a rewards program entices the recipient with an offer of bonus points. These kinds of efforts typically try to trick anyone who responds into providing account information as a condition for claiming the payment or points being offered.
- Social Media Attacks
You have to hand it to the fraudsters behind this one: It certainly looks like a social media post from a legit major retailer who wants to give away a shopping spree. Of course, it is no more a legitimate post than any of the others you see on social media offering everything from two free airline tickets to a year's worth of groceries. As with so many of the other scams described in this post, the fraudster uses COVID-19 as the pretext for an act of generosity. But what fraudsters really want from social media attacks is for the reader to click through and provide personal information or sign up for costly services – and, even better, share the post with friends, so even more victims can be lured in.
- Fake eCommerce Sites
There have been numerous fake websites set up by fraudsters to capitalize on consumer panic. Most of these websites are related to selling supplies that are in high demand globally, such as masks, hand sanitizers, plastic gloves and disinfectant, and often at inflated prices. The websites are simply a ruse for the perpetrators to pocket the money from transactions, and no supplies are ever shipped. Even more troubling are websites purporting to offer free vaccines or other treatments for COVID-19 which are actually being used to steal payment card and other personal information from victims.
- Rogue Mobile Apps
Not all fraud attempts involve email, phone calls or text messages. Mobile apps are a rapidly growing attack vector for spreading malware, spyware and ransomware. Playing on global interest in the topic, fraudsters have released a variety of fake mobile apps related to COVID-19 claiming to offer the latest breaking news and updates. Instead, these fake apps are downloading malware and ransomware capable of taking over a victim's mobile device. RSA has uncovered numerous examples of these fake apps exploiting COVID-19 interest that are linked to Android banking malware including BankBot Anubis, Cerberus and DanaBot.
- Work-at-Home Scams/Money Mules
Work-at-home scams are among the most disturbing trends in COVID-19 exploitation, as these schemes take advantage of the desperate financial situation many people may find themselves in right now. Brian Krebs recently reported on one such highly sophisticated operation where fraudsters set up a fake charity website in hopes of recruiting money mules under the guise of helping those affected. Work-at-home "opportunities" popped up relentlessly several years ago after the global financial crisis, several of which RSA reported on at the time. If there ends up being a global recession due to COVID-19, expect bad actors to prey on vulnerable consumers and work-at-home fraud scams to thrive.
Social Engineering is the Key
We often forget that scams can only be successful if it can socially engineer or fool victims into doing what it intends for them to do (e.g., download malware). Cybercrime is dependent on the human element, and fraudsters know they must manipulate our primal triggers to be successful. They are smart and cunning and leverage tactics that many marketing organizations use to socially engineer our emotions to buy a product or service. Think of these examples:
- Sense of urgency – "You will miss out on this amazing deal if you don't act now" – click here (in a phishing email or promo in social media post). Fear of others hoarding basic essentials such as food, hand sanitizer and toilet paper has created a sense of urgency for many.
- Sense of fear – "You have missed a payment!" Knowing that many people are undergoing financial hardship, creating a sense of fear that a utility will be shut off, for example, if they don't click on a link to update their account. Likewise, fraudsters are using incentives such as government payments and work at home scams playing on the fear of financial insecurity.
- Sense of belonging - With virtually every large nation around the world in some level of lockdown, people are yearning for social connection and spending more time than ever on social media. Please don't blow privacy out the door in these trying times and be careful what you share online.
Avoid Becoming a Victim
While there is cybercrime that takes place at a more urgent scale than we can imagine, such as government agencies being hacked or hospitals and healthcare providers falling victim to ransomware in the midst of pandemic, know that the scams mentioned above are ones we can all control (and avoid) by simply acting smart online. According to the Federal Communications Commission (FCC) website, here are some tips you can use to avoid falling victim to fraud scams:
- Do not respond to calls or texts from unknown numbers, or any others that appear suspicious.
- Never share your personal or financial information via email, text messages, or over the phone.
- Be cautious if you're being pressured to share any information or make a payment immediately.
- Scammers often spoof phone numbers to trick you into answering or responding. Remember that government agencies will never call you to ask for personal information or money.
- Do not click any links in a text message. If a friend sends you a text with a suspicious link that seems out of character, call them to make sure they weren't hacked.
- Always check on a charity (for example, by calling or looking at its actual website) before donating.
Fraudsters were well-prepared to profit from the pandemic before most of us had even heard of the virus. As far back as January, RSA identified tens of thousands of newly registered domains that contained the words coronavirus and COVID-19. It's up to the public now to be equally as prepared and practice good cyber hygiene and security measures.
If your organization is pursuing digital transformation, business continuity along with information security are key, whether it’s a technology outage, a cyber-attack or a wholly unexpected event. Get advice on how to build business resiliency in our e-book, Four Steps to Coordinate Business Resiliency.