As the shelter-in-place orders to deal with the coronavirus pandemic prolongs, cybercriminals continue to look for new opportunities to take advantage of business owners and the general public.
With all of the recent news regarding a possible funding shortfall of the Paycheck Protection Program “PPP”, the cyber-crooks are upping their fraudulent attempts including phony SBA websites (.com instead of .gov) as well as offering to process your PPP application faster for a small fee.
In addition to the SBA scams, criminals are perpetrating financial and data scams through a myriad of tricks. Current scams are related to:
- The IRS or CARES Act
- The status of your stimulus payment
- Charitable giving sites
- Current updates – statistics and/or heat maps
- Early vaccine/treatment access
- Problems with a bank account or credit card
- Investment opportunities
- Blood donations
Here are a few of the current scams:
Method 1: Masquerading
Cybercriminals are exploiting the necessity for individuals and businesses to deploy new IT resources and methods to conduct work remotely such as VPNs, screen sharing technologies, and remote meeting software. Criminals are developing malicious tools that appear legitimate. Unsuspecting users, in search of a tool to facilitate their needs, instead downloads a malicious VPN agent. It is important to discuss any new IT resources you are considering with a professional who can advise you not only on the best, but the most secure tools.
Also, as your business operations change, cybercriminals are waiting to involve themselves in the process. Man-in-the-middle attacks involve criminals intercepting emails detailing payment instructions and bank account numbers and re-routing them to off-shore bank accounts before forwarding the email to the recipient. The sender and recipient are none the wiser until they discover that the money is gone.
Method 2: Phishing/Vishing/SMishing using COVID-19 themes
Attacks may come in the form of fraudulent emails (phishing), text messages (smishing) or voice calls (vishing). These attacks may take advantage of users by posing as the following:
- The IRS
- The SBA or Funding Bank
- Charitable agencies
- Tech Support
Remember, the IRS will NEVER call, text, or email you for payment or bank account information, nor will other government agencies. Scrutinize every unfamiliar call, text, or email and avoid disclosing your personal information.
Method 3: Fake Mobile Applications
Cyber criminals understand that we regularly download apps to facilitate our daily needs. There have been multiple cases of malicious Android applications claiming to offer information about the virus or to accommodate your business needs in these times of uncertainty. All they really offer is attackers the opportunity to spy on you, steal information, or ransom your data.
Method 4: Malicious and Fraudulent Websites
The Palo Alto Networks threat intelligence team notes that over the past few weeks more than 100,000 websites have been registered containing terms like “COVID,” “virus,” and “corona.” Many of these websites are used to deploy malicious software that can threaten your business operations and data security or trick you into thinking that you are applying for stimulus loans through its interface. Some websites spread false information to create unnecessary action or panic. Such risks can be avoided by using only trusted sources.
Do the following to protect yourself from becoming a victim of a fraudulent attack:
- Use extreme caution when dealing with any email with a subject line, attachment or hyperlink pertaining to COVID-19.
- Be cautious when dealing with an email, text message, social media post, or phone call with a subject line or topic pertaining to a COVID-19 related matter.
- Use only TRUSTED sources, such as known government websites, for updated information on COVID-19.
- NEVER trust a hyperlink in a communication stressing urgency, such as a warning about a severe problem pertaining to financial information—i.e. bank account, credit card or the IRS.
- Verify that the contact information is from a trusted source—for example, the toll-free phone number on the back of your credit card.
- If you visit a website, open it directly from your computer or a previously used App on your SmartPhone instead of from the requesting email.
- Never provide any identifying number over the phone, such as your Social Security number, your Medicare ID number, your driver’s license number or your bank account number.
- If you need to implement new technology or processes for your business or personal life, consult a professional.