COVID-19 is a tragedy that is affecting nearly everyone. On the positive side, it has brought out the best in people. There are countless stories about people donating plasma, food, money, and much more. There are large groups of people using their 3D printers to make masks and other PPE for healthcare workers that are facing these critical supply shortages.
Sadly, scammers are out in force also. Ironically, they were quite quick to mobilize, often quicker than the relief groups. And it is not just COVID. Whenever there is a natural disaster, scammers often react before international aid arrives on-site.
To understand the scale of how scammers are using COVD and the Coronavirus Aid, Relief, and Economic Security Act, a recent New York Times article notes that with trillions of dollars being distributed, it is a veritable gold mine for scammers. And over the last month, over 4,300 malicious domains were set up to take advantage of people looking for new forms of government support.
Brian Stack, VP dark web intelligence at Experian, notes that “the stimulus site is a little bit like ringing the dinner bell for hackers.” While Eva Velasquez, CEO of the Identity Theft Resource Center, said, “I’ve been in this space for over 30 years, and I have not seen anything like this in my entire career. The scope, the scale, the speed, and the efficiency of the scams is breathtaking”.
And it gets worse. The New York Police Department (NYPD) is on alert over a sick COVID-19 blackmail scheme where unsuspecting people are targeted online by scammers who threaten to infect their families with the coronavirus if they refuse to pay the fraudsters money. The NYPD document notes that the pandemic has created an environment ripe for fraudulent activity with threat actors leveraging fears of the virus to perpetrate a variety of malicious and criminal exploitation.
With that, here are 20 ways to protect yourself against COVID-19 and stimulus benefit scams:
- Follow all of the good security practices you are accustomed to. There are no new techniques with COVID scams. They are just using COVID as a means to deceive you. They are using old techniques via a new crisis.
- Beware of bogus web sites claiming to have COVID information. These often distribute malware, sell fraudulent treatments, and other devious means.
- Beware of innocuous data scrapping, often from online quizzes. There are often in the form of How much do you know about COVID?. They will link to other quizzes that stealthily ask you questions such as What was your first car? What is your favorite food? and similar. There are precisely the questions used for password recovery. Even if not used to scam you, these quizzes are generally nothing more than clickbait. See If it’s a Facebook quiz, then it must be clickbait.
- Beware of email & SMS phishing schemes. These attempt to get you to click a link and provide personal information. Don’t reply to these emails or texts.
- Beware of fake text messages from the CDC and state/local governments — they will generally not text you out of the blue. Clicking the link in the message will typically prompt you to enter your personal information, including name, address, social security number, and more.
- Always verify the web address of legitimate websites and manually type them into the browser.
- Be extra vigilant when sharing your personal information (PII). If you have to enter your PII, don’t click a link from the email. Go directly to the web site.
- Check for misspellings or wrong domains within a link. Such as G00gle.com as opposed to Google.com
- Beware of social engineering tactics aimed at getting you to reveal sensitive information.
- Be wary of any web site/email/text/phone call asking you for PII, no matter how minor. You may think it is a small, throw-away piece of information. But that small piece of information can be correlated with other PII about you to create a breach. This is a classic information security salami attack.
- Beware of unsolicited information offering COVID or stimulus information.
- Beware of unsolicited requests to visit a web site for more information.
- Beware of emails with alert or advice in the subject line.
- If an email has an offer that seems too good to be true — it is.
- Be wary when getting any message regarding COVID treatments, testing, vaccines, quarantine measures, and information from government officials.
- Realize that no health agency or government department will email you asking for your health details or sell you a COVID vaccine or test
- The Red Cross and WHO will never ask for your PII in an email.
- Only use trusted sources to locate information about COVID and the stimulus package.
- Use a zero-trust approach. Think twice before you click or respond to emails and verify that requests are legitimate, especially financial transactions.
- Finally, slow down, don’t rush to reply. This makes it easier to recognize red flags.