With all of the headlines and news alerts surrounding the global pandemic and its economic implications, information security might not be top of mind for you or your clients right now. Scammers are counting on that. They’re hoping to exploit the health care crisis for their own commercial gain—preying on victims with scams targeted to the coronavirus and COVID-19.

What can you do to mitigate the risk that you or your clients will fall prey to one of the coronavirus scams? Education is the best defense against information security threats. The attacks from thieves and scammers are becoming more aggressive and sophisticated. By keeping abreast of the latest scams, you’ll be well prepared to avoid them.

Subscribe to our blog, the Commonwealth Independent Advisor, for fresh perspectives on practice management, industry best practices, and more.

Phishing Scams: Don’t Open That!

Phishing attacks are on the rise. They’re designed to take advantage of current events, such as health scares or economic concerns, so you and your clients should be especially vigilant about this scam right now. Fraudsters use phishing to gain access to personal information, such as bank account numbers, credit card information, usernames and passwords, and social security numbers. The fake emails or text messages appear to be sent from a known sender or trusted organization. If you aren’t careful, it’s far too easy to click on a malicious link or open an attachment that plants malware on your device.

Here are some red flags to watch out for:

Fake emails that look legitimate. One of the most deceptive coronavirus-related scams has been fake emails that look like they’re from the World Health Organization (WHO) or Centers for Disease Control and Prevention (CDC). At first glance, these emails look legitimate (see example below). Some even include “safety measures” and feature the WHO or CDC logo.

What gives them away as phishing scams? Typically, these messages:

• Contain spelling and/or grammatical errors
• Request your email address and password
• Ask for a donation (sometimes via bitcoin)
• Include instructions to click on suspicious links or open attachments

The CDC and WHO would never ask for your login credentials. To get the facts on coronavirus safety measures from these organizations, go directly to the CDC or WHO website.

Text or phone messages about coronavirus tests. Another scam making the rounds is a text or phone message claiming the recipient has come into contact with someone who has tested positive for or shown symptoms of COVID-19. If you receive a text message like the one below, delete it and block the number. Do not click the link. Doing so is likely to provide the scammer with a gateway to your personal information.

In fact, best practice is to never click on a link from an unknown source or from someone you weren’t expecting an email or text from—as scammers generally use these links to download malware onto your devices.

Social Engineering: Separating Fact from Fraud

Scammers’ major goal is to trick victims into providing their personal information, which can be used to commit fraud. In times of uncertainty like these, many people may feel vulnerable and not have their guard up. Thieves are ready to exploit these emotions, trying to blur the line between fact and fraud. Be on the alert for:

Phony phone calls. You or your clients may receive a call claiming to be from the IRS or another government agency. The caller might ask for bank account information or a social security number so that a stimulus check can be deposited. Tell your clients that, if this happens, they should hang up immediately. The IRS will not contact anyone by phone, email, text message, or social media regarding stimulus payments. For information on coronavirus tax relief, everyone should go straight to the IRS website.

Charity scams. It’s natural to want to help others in times of crisis. Unfortunately, scammers have figured out ways to exploit this generosity. Using names similar to those of real charities, scammers will often try to rush you into making a donation—preferably using methods that are difficult to trace (e.g., cash, wire transfer, or gift card). To ensure that your money is going exactly where you want it to go, do your research! Also, keep in mind that the safest options for making donations are credit card and check. Review the Federal Trade Commission’s page on charity scams for more information.

Best Practices for Every Situation

It’s true that the number of scams hitting the headlines seems to multiply by the day. But here’s some good news: there are some common information security best practices to employ that will help you mitigate the risks, no matter the situation:

• From your bank account to your home Wi-Fi, use a strong, unique password or, ideally, a pass phrase, as they are easier to remember but difficult for fraudsters to crack.
• If you think an account has been compromised, change your passwords immediately.
• Use multifactor authentication (i.e., requiring a second form of identification after entering your password) wherever possible, as this adds an extra layer of security.
• Do not use the same password on multiple accounts. If you do, the likelihood of your accounts becoming compromised increases.
• Use trusted sources for up-to-date, fact-based information. Here are just a few that we recommend:
  • https://www.justice.gov/coronavirus
  • https://www.fcc.gov/covid-scams
  • https://www.consumer.ftc.gov/features/scam-alerts
• Avoid clicking on any links or opening attachments in an email or text, especially those coming from an unexpected or unknown source.
• If something is too good to be true, it likely is. Verify, verify, and then verify again.
• If you believe you have fallen victim to a scam, visit the Federal Trade Commission website for help and to report the scam.

Stay in the Know

When it comes to the latest coronavirus scams, being aware of the warning signs is half the battle. By knowing what to look for—and what to do if you suspect you’ve fallen victim—you and your clients will be well positioned to protect the security of your information.

Have you noticed an uptick in phishing scams? What were the red flags that tipped you off to a fraudulent message? Please share your insights in the comments box!