While small businesses and large corporations have always been the targets of scams, the coronavirus crisis has created a surge in fraud attempts. Cybercriminals are offering false hope, fake solutions, and phony charities in an attempt to take advantage of current vulnerabilities.
In just the first 9 days of April, coronavirus scams cost people more than $7 million dollars. Attorney General Barr said, “The pandemic is dangerous enough without wrongdoers seeking to profit from public panic and this sort of conduct cannot be tolerated.”
In order to protect your business from these kinds of losses, you need to be able to recognize scams—as they relate to coronavirus and otherwise.
Types of coronavirus business scams
We’ve all had to adjust to the new normal, and cybercriminals are no different. With many companies switching to remote work, finding new ways to gain access to corporate computer systems and critical financial data has become top priority for these fraudsters.
The Federal Trade Commission (FTC), FBI, Department of Justice, WHO, and other organizations have warned businesses against the following kinds of coronavirus scams:
1. Phishing scams
Phishing emails have always been a popular outlet for cybercriminals, but the vulnerability of the coronavirus crisis has caused a huge uptick in these kinds of scams. Eric Howes of KnowBe4, explains that “When people are distracted, concerned, and extremely motivated to get information, you can’t count on them to notice things they might have in calmer times.”
In fact, click rate on these phishing emails has risen from less than 5 percent to over 40 percent in the current crisis, (according to Karl Sigler, senior security research manager of SpiderLabs at Trustwave).
The thing is, phishing emails haven’t changed that much in structure—Consumer Reports calls the ploys “depressingly familiar”—but businesses and employees are increasingly vulnerable right now.
Phishing scams consist of any email or text message that tries to trick you into giving away personal information. These fraudulent communications may prompt recipients to click links, download software, open an attachment, or enter personal information through an email form. Any of these actions may result in accidental malware downloads, data lock-outs, compromised login credentials, or exposed financial information.
In the current environment, the FTC warns businesses to be wary of scammers pretending to be CDC, WHO, or other authoritative sources.
How to protect your business from phishing attacks
- Double check sender addresses: Check if the email address looks suspicious or contains misspellings. Watch out for “CDC” or “WHO.”
- Be wary of COVID-19 subject lines: Or other call-outs capitalizing on current business concerns. If it sounds too good to be true, it probably is.
- Don’t click on links: If skeptical, hover over the link to see where it will actually send you.
- Don’t open attachments: These could distribute malware.
- Don’t reveal login credentials: They can be used to commit financial fraud or impersonate a legitimate user.
2. Business email scams
Similar to phishing emails, business email compromise frauds (or BECs) often appear to be legitimate requests for private information. BECs may attempt to replicate messages from CEOs by spoofing the boss’ email address or including an accurate phone number.
Employees should be cautious of emergency requests, like expedited orders, rescheduled transfers, or payment refunds. While these kinds of last minute requests may have raised an eyebrow in different circumstances, in the current crisis, these asks may not seem as abnormal. Evaluate them carefully.
BECs may also include invoices for bogus medical supplies or donations to a fake charity. However, like phishing emails, they often deal with sensitive financial information.
One recent example of BEC fraud, requested a pre-approved wire transfer be moved up “due to the Coronavirus outbreak and quarantine processes and precautions.” An employee might see that the amount matched an upcoming transfer in their records and not think twice.
Be careful with any request for last minute changes or emails that solicit financial information.
How to protect your business from BEC fraud
- Be skeptical of urgency: Last minute changes and unexplained urgency should be red flags.
- Verify with existing contacts: Use contact information you already have to reach out to requesting clients. Use in-house channels to verify requests from other employees.
- Double check sender addresses: Again, look for misspellings, unofficial domains, or first-time contacts.
- Contact your financial institution immediately: Especially if emails contain sensitive monetary data that third parties should not have access to.
3. Robocall scams
Any time you answer the phone to hear a recorded message, it’s a robocall. Most robocalls are illegal, and many are scams.
In March, the FTC noted a huge uptick in robocalls, especially those related to the coronavirus. These communications ranged from announcements about fake COVID-19 tests to job offers in the health industry.
While you may think of robocalls as scams targeted towards consumers, small businesses are not immune. In fact, a recent example recording shared by the FTC, urged small business owners to “press 1 to ensure your Google listing is displaying properly during this coronavirus outbreak.”
How to protect your business from robocall scams
- Just hang up: It’s that simple. Don’t press any numbers. Don’t speak. Just hang up the phone.
4. Public health scams
Unfortunately, a global crisis related to public health is bound to incite some illegal activity in that arena. Scammers may reach out via phone, email, text, advertisement, social media, or otherwise with claims of miracle cures, at-home treatments, and more.
As governments are working hard to increase testing facilities and community resources, individuals may find themselves more susceptible to these kinds of claims—especially those coming from fake reputable sources like CDC or WHO.
How to protect your business from public health scams
- Don’t engage with unsolicited emails: Even if the sender appears official, don’t click or download anything from an email that you did not solicit.
- Ignore offers for vaccinations, test kits, etc.: Anything related to treatment or prevention is likely a scam. These are areas of real fear right now, so keep your emotions in check. Don’t buy from or promote these offers.
- Look to the FDA: If you find yourself wanting to trust the offered resources, verify all claims with the FDA first: especially when it comes to approved vaccines, drugs, or investigational products.
5. Fake charity scams
The U.S. Department of Justice announced an increase in “social media scams and telephone calls fraudulently seeking donations for illegitimate or non-existent charitable organizations.” These scams often ask you to enter your bank information, click on a link, or download a file.
Fake charities will likely use similar organization names and the same tools that authentic charities use for websites, donations, etc. While there’s no shame in finding ways for your business to help out, be sure you do your research.
How to protect your business from fake charity scams
- Verify the charity: Check out the website and see how long it’s been around. You can also use resources such as Charity Navigator, CharityWatch, and BBB’s Wise Giving Alliance to double check the charity’s validity.
- Don’t trust limited donation options: Real charities will almost always accept credit card donations. Fake charities may have strange requirements like donation due dates or gift card donations only.
6. I.T. and data scams
Hackers are aware that current conditions may make it easier to access corporate networks. Because your employees are working at home now, it’s even more important to educate them on cybersecurity.
Some scammers may attempt BEC fraud, except rather than sending a fake email from the CEO, the email will come from an alleged member of the IT department. These scams may prompt recipients to download “new software” or take advantage of “new tools” like teleconferencing. These requests may seem legitimate to employees who have been getting similar requests as they’ve been setting up work-from-home.
Even the ever-popular Zoom has become the target of scrutiny, due to issues with data security in video calls.
How to protect your business from I.T. scams
- Maintain security when working from home: Train employees on best practices and consider paying for stronger antivirus protection or security tools.
- Use passwords for Zoom calls: If you’re discussing confidential information in a virtual meeting, requiring a Zoom password is one of the easiest ways to protect from infiltration.
7. Supply scams
At a time when demand is high and many businesses are competing for the same supplies, it’s important to be watchful for supply scams. These rip-offs are targeting business executives and teams who are trying to procure PPE from non-traditional suppliers.
Websites may mimic the look of online retailers and go as far as having you put in an order—complete with credit card information. They may also reach out with pitches for health equipment or services to help employees work from home.
Furthermore, the scarcity panic related to supplies like toilet paper and hand sanitizer led to many hoarding and price gouging scams. Of such behavior, Attorney General Barr said, “we will aggressively pursue bad actors who amass critical supplies either far beyond what they could use or for the purpose of profiteering. Scarce medical supplies need to be going to hospitals for immediate use in care, not to warehouses for later overcharging.”
How to protect your business from supply scams
- Use trusted websites: Rather than click on a link from a suspicious email, go directly to URLs that you know to be genuine when ordering supplies.
- Report price gougers: If you come across bad actors attempting to take advantage of your business, report them to the National Center for Disaster Fraud (Hotline: 866-720-5721 or [email protected]).
8. Other consumer scams
In addition to these popular business scams, employees may fall prey to consumer scams that can similarly damage your business. A few other coronavirus scams to be aware of:
- Bad app downloads: Smartphone apps or websites that claim to be associated with CARES Act or COVID-19 data sets (like this legitimate-looking map that spread malware). Don’t download anything that feels suspicious.
- Bank fraud: Many U.S. banks have issued warnings to their customers to be aware of fraud attempts. Verify any communication that comes from your bank before sharing sensitive data and activate two-factor authentication if you can.
- Government stimulus scams: Individuals and businesses have been anxiously awaiting stimulus checks and loan funds. Don’t trust out-of-the-blue calls about more money available or refunds. Don’t provide any personal or financial information either.
- Cryptocurrency scams: The FBI warned against an increase in cryptocurrency scams including blackmail, work from home scams, and other digital investments.
- Online safety at home: With most schools cancelled for the academic year and children engaging in virtual learning from home, it’s even more important to teach internet safety to family members.
How to protect yourself from coronavirus scammers
Scammers are getting more sophisticated and a global pandemic creates the perfect testing ground for panic-driven engagement with scams.
While we outlined specific steps you can take to avoid being a victim to different types of coronavirus business scams, this general advice should help you in any circumstance:
- Don’t click on links or attachments
- Research links and websites
- Never share financial information over email
- Use strong passwords
- Keep devices, browsers, and security software up-to-date
- Report scams to the FTC
Do not engage
When in doubt, do not engage. If scammers can get you to perform an action as simple as a mouse-click, they have succeeded.
If something feels off, just ignore it. If you see an email address or subject line that you don’t recognize, just delete the email before even opening it.
Never click a link or attachment from unknown emails. These are likely to contain malware.
Don’t respond to texts or emails from unknown numbers, even if they are about something as important to you as stimulus funding or personal health.
Be aware that phone calls and letters are also being used. Evaluate every message carefully.
Now is the time to assume correspondence is phony unless you can prove otherwise. In the words of Andy Grove, former Intel chairman and CEO, “Only the paranoid survive.”
Do your research
If you must engage with a potentially fraudulent message, do your homework first.
Carefully examine the link or attachment. Try hovering your mouse over the top to see if it actually leads where it says it leads. Misspellings in urls are a good tip-off. Even if the url contains https, that doesn’t mean it’s legitimate. Google around to see if anyone else has been scammed by this company.
When it comes to social media engagement or contact from authorities or charities, question any source that you don’t normally work with.
Guard your financial information
Odds are, cyber criminals are after your financial information. If a suspicious request calls out your personal or business data specifically—like social security numbers, tax IDs, or bank credentials—this is a major red flag.
If your financial institutions need renewed access to this kind of data, they will request it through a secured site or portal. Emails are just not secure. Never share account numbers, credit card numbers, wire transfer or transaction details via email.
Follow cyber security best practices
Especially in your work, follow best practices for online security. Use the security tools that your company provides and make sure you keep them up-to-date.
Don’t reuse passwords—most internet browsers or password managers will automatically suggest strong passwords for you to use. Take advantage of this.
Turn on auto updates for computer and smartphone software. Make sure that your browser is up-to-date. Install an antivirus program and keep it current. Consider using a website reputation rating tool that gives you a heads up if you’re about to enter a sketchy site.
Report scams and fraud
When you come across scammers and fraudsters, you have every right to turn them in. If you’re wondering where to report scams, you can start at FTC’s Complaint Assistant that breaks down common scam categories (like rip-offs, online shopping, robocalls, and credit card scams).
If needed, you can also contact local enforcement, justice departments, or use business attorneys to send cease and desist letters or take further action.
Beware of internal fraud as well
As you consider external sources of fraudulence, don’t forget the people inside your own company. It’s easy to think that it could never happen to you, but the economic pressures of a financial downturn create motives for employees that didn’t previously exist.
In fact, Bruce Dorris, the CEO of the Association of Certified Fraud Examiners (ACFE) recently published a press release entitled “[The] Coronavirus Pandemic is a Perfect Storm for Fraud.” After the 2008 recession, the ACFE saw an observable increase in the amount of occupational fraud committed.
Dorris states, “I can confidently say that now is the time for organizations to be bolstering their internal controls, not cutting them.” Businesses should perform more surprise audits, and monitor their data more closely. While companies are looking for ways to cut costs, he urges them not to cut back on compliance or auditing departments.
Your employees may feel pressure to falsify financials, especially if they know the company is struggling or if they are experiencing personal financial pressures themselves.
Keep your company safe
Be aware of what scams may be going on internally and externally and don’t hesitate to take necessary action to protect your company from these risks.
Just remember, no company is immune. As John Bullough, Senior Security Engineer at Divvy, explains, “There are always people that will take advantage of any situation. It’s okay to be suspicious, especially about current news like COVID-19. Fraudsters take advantage of news coverage to get people to do things they normally wouldn’t.”