While nations around the world are doing all that they can to lessen the Roboto of the coronavirus pandemic, fraudsters – true to form – have identified it as an opportunity to make money and are actively using COVID-19 as a way to cash. Indeed, in February in the UK alone, Coronavirus-themed scams targeting both individuals and companies caused losses of over £800,000 (the equivalent of nearly €1million). There are no depths to which these criminals won’t stoop, so we expect them to keep using the virus outbreak to their advantage. This blog will give you an idea of what to look out for.
Phishing and baiting
The most common way in which the scams seem to be perpetrated is via phishing attacks. For example, there are currently plenty of fake advertisements going around online. Big corporations such as Twitter and Facebook have taken steps to remove misinformation from their sites, but there are many that are slipping through the net or are on other websites without the same resources.
These ads mostly attempt to bait victims into buying in-demand products such as face masks, hand sanitizer and even self-testing kits. However, the products advertised do not actually exist, and fraudsters are pocketing the money without providing anything in return.
Spear-phishing attacks, leveraging telephone or email scams, are also commonplace. This is where the fraudster targets individuals by contacting them directly, posing as people in official roles or working for an official organization. These criminals often already know some personal information about their victims which helps them to appear genuine.
There have been numerous fraudulent email campaigns too. For example, one widely circulated and malware-laden email claimed that the virus was now airborne, thus shamelessly spreading misinformation together with malicious code as a way to make profit. Another email claimed to include details of a cure, while another asked for donations to the ‘coronavirus cause’ (or in this case, to the scammers’ pockets). A further example was of a message purportedly from the World Health Organization, which audaciously included the phrase “this little measure can save you” as a way to entice recipients to click on a malicious link.
Scaremongering and ‘brain-hacking’
All too often when there is a global or national event, scammers will attempt to capitalize on people’s interest in the topic. For example, during tax-preparation season, people expect to receive messages about taxes and tax returns so might not spot a scam parading as the same. Fraudsters are using the coronavirus in a similar way, adding to the discourse on it, and scaremongering in order to increase their illegitimate profits.
There was even a campaign in the UK which sought to leverage both a national event and the virus at once, emailing prospective victims about a (fake) new tax refund program that was coming about as a result of the COVID-19 outbreak. Not only did they use the virus as the hook to bait users, they also posed as the UK Government, in co-operation with the National Health Services, to improve their persuasiveness. This came on the back of regular announcements from the UK Government about how it intends to help people and businesses financially affected by the crisis.
This is the sly way in which fraudsters use real events to ‘brain-hack’ their victims, as people will be more open to hearing about these things and, crucially, more susceptible to believing them. This particular fraudulent email included a link to a fake but official-looking website where the individual was then asked to input all their tax and financial information.
How these campaigns lead to fraud
By providing their personal details on the phone or on fake websites, the user is opening themselves up to the possibility of their information being used to create synthetic identities and mule accounts. Their own data could be even turned against them, for example, if it is used as the basis for a genuine-looking phishing attempt at some point in the future.
In addition to this, the emails can contain links or attachments which, if opened, download malicious software onto the user’s device. This includes keyloggers, which can intercept sensitive information such as usernames or passwords, or Remote Access Trojans (RATs) which can be used by fraudsters to obtain complete and anonymous control of a user’s device and are often used to access a user’s online bank account.
If an individual sends money to what they believe to be a charity account but is actually a mule account, it is likely they have been a victim of an Authorized Push Payment (APP) scam. It’s a similar case when they buy goods that they do not receive, or are persuaded to send money to a different bank account than they originally intended. Because these payments are authorized by the account holder, it is notoriously difficult for banks to detect and block this type of fraud. As such, they’re a popular choice for criminals.
The world is in uncharted territory, and this is exactly the kind of environment that fraudsters love to manipulate. They will be bold enough to try anything; as long as the COVID-19 situation continues, fraudsters will continue to try to exploit it. Extra vigilance towards fraud and cybersecurity is needed now more than ever.