Fraudsters are impersonating the government, trusted brands and colleagues as they seize upon Americans’ desperation for stimulus checks, confusion around student loans and concern for their physical health. They’re pulling out all the stops, including phishing, vishing and smishing — that’s phishing via text message — as they attempt to con people out of their money.
And it’s working. As of Sept. 13, the Federal Trade Commission had received over 100,000 reports of coronavirus-related fraud that cost Americans almost $139 million. The average loss was $300.
The pandemic is fertile for fraudulent activity in part because of the mismanagement of personal data over the past decade, according to Richard Bird, chief customer information officer at security software company Ping Identity. All those website breaches add up. Hackers now have a ton of stolen info they can use to target unemployment benefits, small business loans, Social Security and more.
Making matters worse is the fact that so much work has gone remote, says Edward Bishop, the chief technology officer at email security firm Tessian.
“What we’re seeing is attackers trying to take advantage of the chaos and uncertainty of current times,” he adds. “[You] used to sit next to a colleague and could lean over and say, ‘Hey, did you send me this invoice?’ This relationship now is distant — and maybe even in a different time zone.”
Basically: Fraudsters know you’re stressed and distracted, caring for your hyperactive kids while taking conference calls at your kitchen table. Your guard is down, and they’re making the most of it.
There are hundreds, if not thousands, of different ways people have tried to scam others during the pandemic. We’ve rounded up 26 of the major (and more interesting) ones here. Read on, and protect yourself — as Bird sums it up, “Bad guys love bad times.”
Two groups, Golden Sunrise Nutraceutical and Golden Sunrise Pharmaceutical, were charged this summer for advertising a $23,000 coronavirus “treatment.” Promotions for the so-called Emergency D-Virus Plan of Care included at least four physical billboards along roads in California. Not only did an undercover investigator and the FBI get involved, but also Golden Sunrise’s CEO — a man named Huu Tieu — was arrested in July.
The U.S. Cybersecurity and Infrastructure Security Agency issued an alert in August about a fraudster who was sending emails with the subject line “SBA Application – Review and Proceed.” The emails, which went out to various government officials, told people to click on a certain hyperlink in order to track their loan status. The page actually stole their credentials.
Car dealership checks
IRS who? In June, the FTC filed a complaint against Traffic Jam Events, a marketing company for car dealers, for sending out mailers boasting about an Economic Automotive Stimulus Relief Program. Traffic Jam Events encouraged people to physically travel to certain locations (one was in Florida) to score “COVID-19 Auto Stimulus” payments and even sent out fake checks for $3,344.68.
In February, the World Health Organization found that scammers were contacting people via email, phone, text and even fax to ask for online donations. Recipients were confused because the messages looked like invoices and came from email addresses ending in “@who.com” or “@who-safety.org.” (In reality, WHO uses “who.int.”) The malicious websites and sketchy attachments worked to install malware and steal their logins.
In June, the Department of Justice warned people against invalid “face mask exempt cards” bearing its official seal. The cards were reportedly sold by a group calling itself FTBA, the Freedom to Breathe Agency, in 500-count boxes for $49.99. Not only did they appropriate the DOJ eagle, but they also bore a message that referenced the “Americans with Disability Act,” which is just a misspelled version of the Americans with Disabilities Act.
Facebook friend fail
Facebook and Instagram users are getting plagued by direct messages that appear to be from friends about coronavirus grants, according to the Better Business Bureau. The messages claim their name is on a list for free money… and all they have to do is get it is pay a delivery/processing fee. But once a person pays, that cash is gone — and the aid never materializes.
Grifters on Google
At one point in April, Google said it encountered “18 million daily malware and phishing emails related to COVID-19” — on top of “more than 240 million COVID-related daily spam messages” — in a single week. Subject lines included “Solidarity Response Fun. Help WHO fight COVID-19,” “Re: COVID-19 Adjustment !” and “COVID-19 PAYMENT.”
In June, the FTC warned CoviDoctors.com, who were hawking “HERBAL FORMULAS USED IN CHINESE HOSPITALS FOR TREATMENT AND PREVENTION OF COVID-19.” Ditto the Traditional Chinese Medical Clinic and the alliterative Dr. Nuzum’s Neutraceuticals. As of mid-August, some 300 sellers had been warned by the FTC for making unsubstantiated claims.
The Justice Department has cracked down on several Americans for attempting to defraud the Paycheck Protection Program. In August, for example, it charged nine people who used fake documents to apply for about 90 loans worth more than $24 million (and asked for a kickback). That case also involved NFL player Josh Bellamy. The DOJ said Bellamy got a $1.2 million PPP loan for his company, Drip Entertainment LLC, but then used the money at Dior, Gucci and the Seminole Hard Rock Hotel and Casino.
With increased unemployment comes increased job-seeking — and, of course, fraud. The BBB warned in July that bad actors were pretending to be big companies, posting help wanted ads, conducting Google Hangout interviews and “hiring” Americans. Then they’d charge for training, ask for bank information or tell the new employee they needed to wire back an overpayment… and exploit the info.
Nearly 700 websites related to stimulus checks popped up within days of Congress approving the CARES Act this spring. Tessian found that 7% were spam and that the URLs were “set up to take advantage of the stimulus package, using common questions or key words to lure users in.” The decidedly unofficial sites included whereismystimuluscheck.com and covid-19-stimulus.com.
Loan callback scam
This robocall preys on the 42 million people who have student loans. It references how President Donald Trump waived interest on student loans — a real thing — but then pivots into asking people to call back “for more information on how these new measures will impact your future payment obligations.” Free advice? Don’t.
Eight companies were warned in May and June for encouraging people to apply for loans on their websites instead of visiting legit SBA portals. Operators of sites like SBADisasterLoan.org and USAFunding.com got in trouble for misleading entrepreneurs with claims they were “able to process your SBA Paycheck Protection Loan faster than any other source.” One site charged a $495 service fee — something the SBA specifically prohibits.
No FCC grant
No, the government didn’t suddenly become generous — that text offering $30,000 from the “FCC Financial Care Center” was fake. Ditto the text about that “mandatory online COVID-19 test.” Bad news: The FCC isn’t giving out thousands of dollars via text message, and you can’t test for coronavirus online.
Orders in the ether
The FTC has filed cases against a handful of online sellers who falsely said they would deliver hand sanitizer and face masks with super-fast shipping. Vendors such as QYK Brands, Zaappaaz and American Screening are accused of not delivering products on time — or at all.
In Kentucky, investigators found that two medical marketing companies were setting up shop around Louisville and charging people as much as $250 for unofficial coronavirus tests. Operating in at least one case out of a pop-up tent, van and pickup truck, they also took patients’ insurance information and Social Security numbers.
An editor at The Verge got a “CORONAVIRUS ALERT” email recently threatening a financial penalty for breaking quarantine. “We would like to inform you that you have been recorded as leaving your home on 3 occasions yesterday,” it read. “A fine of $59 has been added to your gov.us account.” The email told the recipient to visit a government page for more information — but clicking the link actually redirected to a scam site.
In June, the FCC warned against scam texts being sent in the name of the IRS. They instructed people to click a certain link “to register/update your information in order to receive the economic impact payment regardless of your status.” This was a phishing scam. FYI, the only place to update your personal information for stimulus checks is at IRS.gov.
In March, there was an uptick in texts and WhatsApp messages offering free Netflix subscriptions “to keep you entertained” during the pandemic. Some texts even urged the recipients to “run on the site cause it will end quick!” The link redirected to a fake Netflix site that instructs users to share with 10 friends before they can activate an account. Even Tiger King is not worth compromising your personal data.
Test kit trick
There’s a robocall going around that targets diabetes patients who are at high risk of the coronavirus. According to YouMail, the message says something to the effect of “if you are diabetic and using insulin, we can qualify you to get a free diabetic monitor and a complimentary testing kit for coronavirus” and tells the recipient to press 1 for more info. Alas, they just want to collect personal information.
California, North Carolina, Maryland, Washington and other states made headlines over the summer as they dealt with unemployment fraud. According to the FBI, bad actors filed for unemployment using stolen identities — but in many cases, the victims didn’t find out until they themselves tried to file a claim. The Maryland case was a big one: Using a loophole that allowed them to self-certify job loss, fraudsters filed some 47,500 falsified unemployment claims in an effort to get $501 million in benefits.
Who you gonna call? Not The1VirusBuster, which sold an invisible virus-killing barrier developed by a “quantum computer” and got a takedown letter from the FTC in June. Ditto the Provita Health Store, which advertised a VariZapper that sent “frequencies that match the frequencies of pathogenic microorganisms” but had to be used before 9 p.m. And the Hulda Clark Zapper, which came with promising ad copy that said “in theory it should work.”
In late August, the FTC reported that people had been getting messages on social media purportedly from big brands like Target and Walmart. The messages claimed to offer free money in the form of giveaways, grants and food coupons — but in reality, they were phishing scams attempting to collect personal information and install malware.
“eXplosion” of phone scams
The Montana attorney general’s office put out a warning in July saying it had “seen an explosion of contact tracing scams” occurring over the phone. A scammer would call a person, claim to be a contact tracer and then ask for payment and/or their Social Security number before continuing. Spoiler alert: Contact tracers do not need your credit card info or SSN to figure out whether you’ve been near someone who got sick.
Your test results
In Arizona, Attorney General Mark Brnovich told residents to watch out for coronavirus test result scams where people pretend to be health providers in hopes of stealing information or money. Brnovich pointed out that testing facilities do not need to collect Social Security numbers or bank account information — and especially not over the phone.
Zoom gone phishing
In May and July, Abnormal Security reported that fraudsters were sending out fake Zoom emails in hopes of stealing Microsoft Office 365 logins. The emails asked recipients to click a link to “activate their account,” which really redirected to a fake login page. (There was a similar scam in April where attackers asked people to join a Zoom meeting with their company’s human resources department.) A solid rule of thumb for pandemic times: If you get a weird email, Zoom away.
This story has been updated.