COVID-19 Scams

The current outbreak of COVID-19 has created a perfect storm for scammers to monetise through fear, false promises and fraud. Since the beginning of March 2020, more than 13,000 new domains have been registered using the terms “corona”, “covid”, “epidemic”, “pandemic“ and “Wuhan”.

While some of these domains are legitimate – and some still point to parking pages – it is fair to assume that many are to be used for malicious purposes. In general, newly registered domains should be approached with caution and, under the current circumstances, we should be even more vigilant.

We have started to receive reports of:

  • Phishing emails and phone calls impersonating entities. These include the World Health Organisation, government authorities, individuals who have contracted coronavirus, and legitimate businesses such as travel agents and telecommunications companies;
  • People receiving false information about the coronavirus; this being sent by SMS, social media and/or email;
  • Products claiming to be a vaccine or cure for the coronavirus;
  • Investment scams claiming coronavirus has created opportunities.

Unfortunately, those who are scamming individuals are using the current situation to take advantage of people, many of whom may be more vulnerable to their nefarious efforts than usual during these uncertain times. A handful of government agencies and other groups are stepping in to try to put a stop to this however, there are still some steps you can take to avoid getting duped.

You Can't Buy a COVID-19 "Cure"

Many of the COVID-19 scams going around involve attempts by companies and individuals to sell products that they claim are a prevention or cure for coronavirus, which has already killed over 100 people in the United States alone. Scammers are peddling fake remedies ranging from colloidal silver to cow manure. But the novel coronavirus is exactly that, new and evolving, and there is no known cure as of yet. However, vaccine trials are currently underway, but any scalable results are months away at best and when the vaccine is available, thanks to the NHS there won’t be a charge for it or any requirement to provide any sensitive personal information to receive it.

Watch Out for Scam Emails and Texts

Phishing schemes, in which a scammer sends an email or text in order to trick you into handing over your information, have gotten pretty sophisticated in recent years, and may often include elements such as official imagery or email addresses that look similar to email addresses used by official businesses; likewise, phone calls and texts from scammers pretending to be official businesses may include information such as your name or phone number to try to convince you that they’re real.

To spot COVID-19 email and text scams, look out for generic greetings (such as “Hello, Sir/Madam”), requests for confirmation of personal information, or emails related to updating your billing details. This can help you judge whether or not an email from a company is legitimate. If a messages’ language appears urgent, as though it’s attempting to pressure you into providing your sensitive information to avert some sort of data disaster, it could very well be fake. If you receive a suspicious email from a particular company, a friend or even your employer, contact them separately via phone or googling their website to verify the message before replying or otherwise acting on it. As shown below, SMS messages can be spoofed to appear to originate from legitimate sources.

Secure Your Online Identity Now

As with all phishing scams, defending yourself from COVID-19 scams involves a combination of prep work and a little scepticism; if it looks too good to be real it isn’t. There is a saying that it’s only paranoia if they are not out to get you, however the reality is that there is a whole, almost business level organised sub-culture dedicated to scamming that is out to get you. To scammers, you, your personal information and your accounts are seen as a revenue stream with no thought of the impact they are having to the most vulnerable of individuals.

It's good practice that if you suspect your login credentials have been compromised to change your password, do not use the same password for multiple services. This is something that we know we shouldn’t do but are all guilty of to some extent. If one service is compromised then all accounts using the same password have the potential to be compromised, very often the username/password combination found will then be tried on multiple services by an attacker in the hope that the same username/password combination will be used for multiple services and therefore, we would strongly recommend utilising a password manager to help manage your passwords. There are many well known password manager tools available online, in the app store or playstore, many of which are free.

The bottom line is that if you suspect your accounts have been compromised change your password immediately, contact your account provider immediately and let them know, they are there to help you first and foremost.

Where and Whenever Possible, Use Multi-Factor Authentication

Multi-factor authentication is a combination of two of the following factors used for logging onto a service:

  • Something you know (password)
  • Something you have (phone)
  • Something you are (fingerprint)

Something you know is your password, so multi-factor authentication always starts there. Rather than let you in to your account once your password is entered however, two-factor authentication requires a second layer of authentication.

So that’s where factors 2 and 3 come into play. Something you have is your phone or another device, while something you are, is your face, irises, or fingerprints. If you can't provide authentication beyond the password alone, you won't be allowed into the service you're trying to log into. This adds a level of complexity to the authentication process, and whilst it may be possible to compromise your password, compromising the second and third factors is going to be Harder without you being aware or something.

In reality, it's not that much of a jump as most of us who use online banking have been complying with two factor authentication for years.

Basic Rules

So what are the basic rules to prevent scams or your sensitive information being compromised? Whilst there is no fool proof method of protection, the following basic rules will help minimise the risk.

1. Do not respond to any calls or texts from unknown numbers, or any others that appear suspicious/that you are not aware of.

2. Never share your personal or financial information via email, text messages, social media or over the phone. If your bank calls, ask for an extension number and name so you can call them back. Check that the provided number matches what you know.

3. Be cautious if you’re being pressured to share any information or make a payment immediately.
Scammers often spoof phone numbers to trick you into answering or responding. Remember that government agencies or financial institutions will never call you to ask for personal information or money.

4. Do not click any links you receive via a text message. If a friend sends you a text with a suspicious link that seems out of character, call them to make sure they weren't hacked.

5. Always check on a charity (for example, by calling or looking at its actual website) before donating.

6. Use trusted sources such as legitimate, government websites for up-to-date, fact-based information about COVID-19.

7. Don’t let anyone pressure you into taking quick decisions. Take your time and consider who you are dealing with.