We are living through the golden age of scams right now, so I’m going to do an ongoing series about coronavirus crimes. First up: My conversation with Grace Brombach, who just wrote a report on scams(PDF) for the U.S. Public Interest Research Group. You can hear my conversation with Brombach by clicking here or pressing play below. Our conversation is summarized below the play button
Nearly 100,000 scam-ready domains have been registered since the Covid-19 pandemic began. It’s the Super Bowl for digital criminals, the golden age of computer fraud. Why? Because a con artist’s best friend is urgency.
“We are dealing with so much fear and confusion right now,” Brombach tells me. “People are being put in a very difficult situation where they don’t really know what to believe.”
Of particular worry: Homebound computer users are being told to download all kinds of new software and fill out forms full of personal information, doing things that ordinarily they would never do. For example: Employees are working from home, Zooming everywhere. Think about how believable an email might be that appeared to come from an HR department, promising new video conference guidelines or requiring new software installation.
Making matters worse, as cybersecurity expert Harri Hursti has told me, a lot of corporate security software is designed to look for unusual patterns in network traffic — like massive downloads or a surprising number of remote logins. Everything is unusual now.
In addition, there’s also a lot of burden on parents (and grandparents) to help their kids do schoolwork from home. That opens up a big attack vector. Urgent messages claiming to be from schools, including assertions that children have been infected are particularly insidious.
Brombach says most scams fall into two categories: Sale of false cures; and phishing scams designed to commit ID theft. Some of these emails are incredibly believable. There are email alerts from scammers posing as the CDC or WHO promising Covid alerts. Criminals benefit from trading off the trust big brand names have.
“There was a recent map that came out tracking coronavirus cases … posing from Johns Hopkins and when people would click on the map it would actually download malware onto their computers to steal their personal information,” Brombach said. “It’s all across the board…They really are difficult to identify.”
NOTE: Organizations like WHO or the CDC will not send you unsolicited texts or emails unless you’ve already signed up for them. But given all the talk about contact tracing apps, it’s easy to understand why a consumer might fall for a text message with an alert warning them they’d been near someone who’d tested positive for Covid.
“There’s this misconception that people have of, ”I would never fall for a scam,’ but some of them are so, so believable, so it’s really important to be on your guard as much as possible,” Brombach warned.
Here’s the scams she’s most worried about in the near future:
- Criminals offering help with economic impact payments. In some cases, only an SSN and a birthdate are needed to access government benefits. In other cases, criminals are promising frustrated aid recipients they can help get faster payments.
- Fake Covid testing sites
- Price gouging
- Fake cures and treatments. “It’s so hard for the FDA to keep up with all these claims,” she said. Also, remember that it’s generally legal to sell supplements with broad claims like immune system boosting.