Welcome to the first installment of our new Scamdemic Series. Each week I am going to deep dive into one type of scam making the rounds during the global Covid-19 pandemic. We’ll talk about how the scam works, who scammers are targeting, and how to avoid becoming a victim.
First up, we’re going to talk about phishing—and no I’m not referring to how fans of the psychedelic jam-rock band Phish zealously ponder the meaning behind the band’s set list choices or wax nostalgic about the first time they saw drummer Jon Fishman’s vacuum solo. Phishing scamsters are way more of a problem.
What Phishing Scams Are
Phishing scams are emails, texts, spam, phone calls or websites disguised to look or sound like they are legitimate or trustworthy. In reality, cybercriminals are behind these scams and they are designed to trick you into giving up your personal and private information.
According to a cnbc.com article, coronavirus-related robotext scams are becoming more difficult to decipher. “It starts with a text purportedly from the Internal Revenue Service asking to confirm information for a stimulus payment through a link,” the article says. Clicking on the provided link takes you to an authentic looking IRS webpage where you are asked to enter your name, contact information and Social Security number. Once the scammers have all the information they need, you are rerouted to the real IRS website where you may remain unaware that you were phished out of your sensitive information.
Scammers can be very nuanced in the use of phishing attacks. Understanding that a large segment of the population relies on home delivery of goods during the pandemic, scammers have designed emails and texts purporting to provide information on the delivery of packages. In this version of the scam a customer, eager to know the status of a package, may not think twice about opening an email claiming to come from FedEx. But by clicking on the link, a customer may inadvertently provide his or her personal information to a scammer or download malware.
In mid-March, emails claiming to be from the World Health Organization (WHO), a leading health organization in the fight against the coronavirus, were sent out to the unsuspecting public. The emails included various attachments providing guidelines and recommendations for protecting against Covid-19 and staying safe during the pandemic. The real purpose of these emails was to lure recipients into downloading malicious attachments, including an invasive keylogger called Agent Tesla capable of stealing passwords, logging keystrokes, and capturing screen and video from your device.
The above cases are just a few examples of the phishing scam scene today. And, unfortunately, phishing scams come in many different shapes and sizes. In reality, they are only limited by the imagination of the scammer. What is worse, the coronavirus pandemic has seemingly opened the phishing scam floodgates. In an April 16, 2020, Google announced that in one week they saw 18 million daily malware and phishing emails related to Covid-19. This is in addition to the more than 240 million coronavirus-related spam messages sent to users on a daily basis. Luckily, Google says they have security protocols in place that “block more than 99.9% of spam, phishing, and malware from reaching our users.”
Still, there are measures you can take to further protect yourself from these bad actors.
What You Can Do
Educate yourself on the latest tactics used by scammers: The more aware you are of how scammers operate and the current type of scams they are engaging in, the greater the chances you will recognize a phishing scam coming your way.
Personal experience can back this up. At the time of writing this post, I was sent a phishing text (known as smishing) thanking me for the purchase of a $469.97 product. Admittedly, there was a strong impulse to find out, as quickly as possible, what it was all about and click the conveniently provided link. The scammers behind this text were banking on the shock of seeing the dollar amount to spur me into taking some misguided action. I might not have been able to resist the urge to click on the link if I wasn’t familiar with some of the techniques used by scammers. Instead, I calmly verified directly with my bank if any unauthorized payments had been made. When I was assured none had, I simply deleted the text and moved on with my day.
Be vigilant and pay attention: Treat texts and emails you receive from unknown sources as potentially suspicious, especially if they are unsolicited. If you receive a suspicious email/text, do not reply, open any attachments or click on any links. Instead, contact the business or organization directly and verify with them that they sent you the email/text. If the email or text is from an unknown source, think hard before going further and clicking on any links. The best course of action may be to delete these types of communications. If you want to respond to an unsolicited email, you can rely on websites like CheckPhish—a free url scanner that verifies whether the site is known for phishing—before performing any call to action.
Take note of the language used in emails and texts. Emails that are purportedly from a reputable business but are overly friendly should raise some flags. If they begin with: “Hello Mate” or “Hi User!” steer clear of them—they are likely scam communications. Egregious grammatical and spelling errors are also a strong sign a scammer is working behind the scenes to dupe you into divulging sensitive information.
In the next blog post, we will look at how scammers have set their sights on your government coronavirus relief payments. For many, stimulus checks represent a lifeline in times of economic uncertainty but for cybercriminals they are just another opportunity to enrich themselves at your expense.