Written by Ruth Promislow and Katherine Rusk
As the COVID-19 outbreak continues, scammers and hackers are taking advantage of the fear and confusion surrounding the current circumstances by posing as reputable news sources, or offering information. These malicious actors are using the stress and the urgency of the current situation to misappropriate personal information, download malware, and attempt to scam money from consumers. These criminals are the online version of “looters” seeking to take advantage of a societal crisis.
Many businesses have instructed their employees to work from home wherever possible. Being "home alone", dealing with the stress of the overall situation, and receiving a higher number of texts, calls, and emails, puts individuals at a higher risk of accidentally falling victim to a scam.
Below is a list of the common types of scams related to the COVID-19 situation, as well as some tips on what you can do to protect yourself.
The majority of these scams purport to offer some information on the virus—often a bogus cure, selling counterfeit products, providing an update on impacted individuals in your community, or providing further information on how to prevent its spread.
Impersonation of Official Organizations
Last month, the World Health Organization (WHO) issued a communication warning that criminals pretending to be from the WHO were sending fake phishing emails. In these emails, recipients are asked to give sensitive information (such as usernames or passwords), click a link, or open an attachment. Similar phishing emails are being sent which purport to be from other government or official entities, such as the Centers for Disease Control and Prevention, the U.S. Food and Drug Administration, or the Canadian Red Cross.
The Winnipeg police sent out a notification on March 16 warning of a phishing email scam in which recipients were told that they were contaminated by the novel coronavirus and asking for credit card information for medication to be shipped. Similarly, police in Chatham-Kent, Ontario have warned of fraudulent phone calls from individuals pretending to be doing door-to-door testing for COVID-19 screening in order to gain personal information.
Malicious websites are also proliferating. One group of scammers went so far as to create a malicious "dupe" website, mirroring the legitimate map of COVID-19 cases provided by Johns Hopkins University. The "dupe" website looks like the Johns Hopkins map, but infects the user's computer with a malware that can exfiltrate sensitive information. This is not the only such website—Check Point Research estimates that domain name registrations containing the term "coronavirus" have also spiked, and are 50 percent more likely to be malicious than other domains.
Fake Online Shops and Counterfeit Products
INTERPOL is encouraging individuals to exercise caution when purchasing medical supplies online, as many criminals are either selling counterfeit product or creating fake online “shops”. When purchases are made, the credit card number and personal information of the purchaser is stolen, the money is received, and no product—or a counterfeit product—is received.
Requesting Help in the Situation
The Canadian Anti-Fraud Centre (CAFC) has announced that unauthorized or fraudulent charities are requesting money—either to support victims or to research COVID-19. The CAFC recommends verifying that a charity is registered before donating, and not being pressured into any donations. More information on avoiding charity scams is published by the RCMP.
Social Isolation Activities and Fake "Market Opportunities"
Criminals are also taking advantage of individuals being at home and bored, with their guard down. We received the following text message, for example, while this article was being written!
Investment scams are also becoming common. On March 16, the Nova Scotia Securities Commission alerted investors to be wary after an investor received a call from a fraudster pretending to be from a major Canadian bank. The investor was told that their investment plan was collapsing, and they needed to put money into an account to save it.
Similarly, the Victoria Police have warned about fraudsters who are urging investment in "hot new stocks related to the disease", and the New York Times has cautioned about "dubious investments" being marketed to individuals interested in purchasing while the market is low.
What to Do in the Situation
Cybersecurity Best Practices
The normal rules of cybersecurity continue to apply, because even though the messages may relate to COVID-19, the end goal of infecting your device with malware, stealing your personal information, or scamming your money is still the same.
The U.S. Cybersecurity and Infrastructure Security Agency and the CAFC recommend individuals take the following precautions:
- Avoid clicking on the links. Hovering the cursor over any links can help determine if it has been spoofed, but many malicious websites can look identical to the legitimate site. Consider whether an entity should be sending you a link in the first place, and if there is a way to simply navigate there through a search engine instead.
- Be wary of email attachments. Unsolicited emails requesting that the user download and open an attachment is often a vector for malware.
- Be suspicious of unsolicited calls, texts, and emails. If you are unsure if a request is legitimate, verify before responding. Check previous invoices and communications for contact information, instead of trusting what was provided by the potential scammer.
- Be cautious of "urgent". A common approach for scammers is to pretend that something is urgent, and in a pandemic this is even more important to notice. Reputable institutions will not pressure you into making an immediate purchase or providing personal information instantly.
- Use only trusted sources for information. Only get information from trusted government, healthcare, financial, and other verified information.
- Do not reveal information about your organization. Scammers may call requesting information about your organization's structure, networks, and contacts. Do not reveal that information unless you have verified that the recipient has the authority to know it.
- Do not reveal personal or financial information. Do not respond to emails requesting this information, and do not provide it over the phone if asked. Don't be afraid to say no or to hang up right away.
Most importantly, if it seems too good to be true, it probably is. More information on avoiding scams and protecting yourself is available from the CAFC. If you have any questions about how you or your organization can respond to privacy or data security issues, please contact the Bennett Jones Privacy and Data Protection team.