COVID-19 Cybercrime and Scams
Over 50 Examples of COVID-19 Scams and How To Avoid Them
Written By: Aliza Vigderman | Published: October 5, 2020
Since the beginning of the COVID-19 pandemic, the Federal Trade Commission (FTC) has seen a huge spike in reported scams, from phishing to misinformation online. From January to September, there have been 211,000 reports overall1.
We’ve researched and collected dozens of examples of COVID-19 scams (provided below) and analyzed the FTC data. Here are the key findings:
- The FTC first saw a spike in reports of COVID-19-related scams on April 24th, 2020. At its peak, the FTC received 1,479 reports of COVID-19 scams in a single day in May.
- The median loss from a scam through September was $300.
- The most common type of COVID-19 scam is online shopping (15 percent of total), followed by travel and vacations (12 percent).
- People lost twice the amount of money with travel and vacation scams compared to online shopping scams, averages of $1,806 compared to $695, respectively.
Table of Contents
Types of COVID-19 Scams
There are a few key types of COVID-19 scams: phishing, malware, misinformation, fake applications, and more. Let’s dive into each so you can protect yourself online.
Phishing has been a common way that hackers obtain users’ usernames and passwords for quite some time, and during the pandemic, we’ve seen new methods of phishing themed with COVID-19. Many hackers impersonate the government or health authorities, enticing victims into providing their personal data and downloading malware. Shockingly, about two-thirds of countries surveyed reported significant numbers of COVID-themed phishing and fraud since the beginning of the pandemic2. Here are the major types of phishing we’ve come across:
- Credential theft: As we said before, phishing is often used to get users’ credentials using social engineering, which often means creating fake websites that emulate real ones, like Gmail. With COVID-19, we’ve seen more usage of urgent language. Additionally, many websites’ URLs will contain words related to COVID, such as corona-virus-business-update. If the user enters their credentials, the hackers can use them to break into accounts and steal their personal information, which could lead to more phishing to their contacts or even identity theft3.
- Malware deployment: Many hackers create COVID-themed emails so that they can have users open attachments or download malicious files, compromising the user’s device.
- SMS: Phishing doesn’t always have to take place over email. Sometimes, hackers use SMS text messages to send users messages about government payouts and rebates, which, given the downfall of the economy, is particularly effective during COVID.
But we don’t just want to tell you about phishing; we also want to show you real-life examples of COVID-19 phishing so you can avoid it.
Email subjects have included:
- CORONAVIRUS (COVID-19) UPDATE // BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MARCH 2020.
- Latest corona-virus updates
- UNICEF COVID-19 TIPS APP
- POEA HEALTH ADVISORY re-2020 Novel Corona Virus.
- WARNING! CORONA VIRUS4
Look out for these email subject lines:
- 2020 Coronavirus Updates,
- Coronavirus Updates,
- 2019-nCov: New confirmed cases in your City, and
- 2019-nCov: Coronavirus outbreak in your city (Emergency).
Just how do you know that your system has been compromised? Well, the Department of Homeland Security has compiled a list of indicators, so if you seen any of the following, you may have clicked on a phishing link:
If you’ve accidentally clicked on a phishing link, try to shut down or contact your account and change your password. But the best defense is a good offense, so here’s how to spot a phishing email for individuals:
- Authority: Criminals will often pretend to be your bank or a government agency, but many of these firms do not contact people directly via emails.
- Scarcity: If the message says that something is in short supply, the FOMO, or Fear of Missing Out, may lure people to respond quicker than normal.
- Emotion: Any message that makes you feel scared or panicked should be suspicious, as hackers play into users’ emotions to deduce their reasoning ability.
- Urgency: If the email says that you have a limited time to respond and will be fined if you don’t, it may be an indicator of phishing.
For organizations and digital security workers, here are a few guidelines to follow:
- Train your employees: No matter how much you personally know about digital security, employees still need to be trained on how to spot phishing emails as well as other technical measures like implementing VPNs or password managers.
- Follow NCSC guidelines: The National Counterintelligence and Security Sensor, part of the U.S Office of the Director of National Intelligence, has several general guidelines on how to protect users from phishing attacks. One, make it hard for attackers to reach users; two, help users identity and report phishing emails; three, implement software that detects phishing emails before they get to users and four, respond to cybersecurity incidents as soon as possible.
- Plan for it: There’s no way around it: some phishing will be successful, no matter how many roadblocks you implement. That being said, it’s wise to plan for these incidents to minimize harm.
Unfortunately, we’ve seen a large increase in phishing, scam and fraud since the beginning of the pandemic. It’s risen 59 percent, according to Interpol, and according to SC magazine, COVID-19 phishing attacks grew from under 5,000 in February to more than 200,000 by the end of April5. Phishing is so common, in fact, that it accounts for over 80 percent of all security incidents reported6. In terms of dollars, people lose $17,700 every minute because of phishing. Hopefully, the above advice can help you avoid becoming a statistic.
Malware is an umbrella category that includes ransomware along with DDoS, Distributed Denial of Service. Hackers typically direct malware at large institutions like hospitals or insurance companies due to their immense financial holdings. Like phishing, there’s been an increase in malware since COVID-19 has ravaged the nation. In the first half of April this year, for example, law enforcement saw an increase in ransomware attacks from groups that had been inactive for the past few months. We’ve also seen a new form of ransomware develop, a process called “double extortion” in which hackers withdraw huge amounts of data and threaten victims with a ransom. If the victims don’t pay the hackers, the hackers threaten to release the data to the public.
According to a study from IoT platform Minim, the top malware variants are as follows:
- Mirai – 1.9 percent
- Gumblar – 2.92 percent
- Ramnit – 3.64 percent
- Matsnu – 5.02 percent
- Necurs – 5.11 percent
- Pizd – 5.71 percent
- Simda – 10.37 percent
- DirCrypt – 13.94 percent
- Suppobox – 17.09 percent
- Banjori – 19.92 percent7
File attachments can also contain ransomware. Look out for the following file attachment names:
- AWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_pdf.exe
- Coronavirus COVID-19 upadte.xlsx
- CORONA VIRUS1.uue
- CORONA VIRUS AFFECTED CREW AND VESSEL.xlsm
Hackers also sent several people that work with the Canadian federal government’s healthcare agency malicious emails from firstname.lastname@example.org. Since these people were working on slowing the spread and minimizing the impact of COVID-19, they were targeted specifically with malicious rich text that tried to deliver EDA2, an open-sourced variant of ransomware under the larger HiddenTear family. Some other ransomware examples we’ve found include:
- Emails offering government assistance
- Download links for video chatting and conferencing platforms
- Information about masks, vaccines and other high-demand items like hand sanitizer
- Updates to collaboration solutions and social media apps8
We’ve also come across email subject lines that include “Coronavirus disease” or “COVID19”, as well as several file attachment names such as:
- COVID-19 Supplier Notice/COVID-19 Supplier Notice.jpg.exe
- Corporate advisory CoronaVirus (Covid-19)/Corporate advisory Co.
While malware isn’t quite as common as phishing, it’s still relatively common. 45 percent of home networks, for example, have malware, according to Minim’s research. In contrast, only 13.3 percent of corporate networks had malware, making those working from home three and a half times more likely to have malware present9. That’s a huge issue given the number of people that are working from home during the pandemic.
On top of that, nearly 40 percent of home office networks had a malware event in the past month, and Interpol estimates that malware and ransomware make up 36 percent of cyberattacks during COVID-19. Of those attacks, 94 percent of them came through email, which is why it’s important to double check your email subject lines and file attachment names with the above examples.
Malicious domains are chameleons, showing up in many forms including:
- Fake ebooks: We’ve seen a rise in domains that sell fear-inducing COVID-19 ebooks; many use videos to describe worst-case scenarios, enticing people to order their files.
- Illicit pharmacies: As online shopping has proliferated during the pandemic, so have illicit online pharmacies that sell so-called remedies for COVID-19. Many of these drugs are actually Viagra or other drugs unrelated to COVID-19.
- Fake webshops: Along with medicine, many people are buying hand sanitizers and face masks from fake ecommerce sites, often sold for phony discounts.
- Credit card skimmers: Many of these ecommerce sites use skimmers to steal people’s credit card information.
- Malicious domains: Finally, many criminals have registered domain names that include hot button words like COVID and coronavirus; these sites include malware and phishing. From February to March of this year, there was a 569 percent increase in malicious registrations and a 788 percent increase in high-risk registrations, in fact. Palo Alto Network also reported that over 100,000 domains had been registered with words like “corona”, “covid” and “virus”, so be on the lookout for fraudulent sites.
Just how common are malicious domains, specifically? Different research has yielded different results. Software company Check Point reported that malicious domains made up 22 percent of cyberattacks during COVID, and more than 16,000 new coronavirus-related sites have been registered since January10. Of these domains, over 22,000 are suspicious, about 14 percent, while 93 have been confirmed as malicious11. Overall, these COVID-related domains are 50 percent more likely to be malicious than other domains registered since January12.
Palo Alto Networks, on the other hand, has identified over 116,000 COVID-related domains between January and March; 2,022 were deemed malicious while over 40,000 were deemed high-risk. And from February to March, they saw a 569 percent growth in registrations of malicious domains. Whatever the numbers are, be sure a website is legitimate before clicking on it.
Misinformation, commonly referred to as “fake news”, has been a huge issue since the 2016 presidential election and unfortunately, it’s only become more common since. Interpol defines misinformation as information that’s unverified, not understood, or simply a conspiracy theory. In terms of digital security, misinformation is related to cyberattacks. Almost a third of countries reported that false COVID-19 information has been circulating around the Internet; one country reported nearly 300 postings that contained malware. Interpol has also seen misinformation being used to sell fake healthcare products as well as misinformation used in texts advertising false benefits, free food options, or supermarket discounts. All in all, misinformation accounts for 14 percent of all cyberattacks during COVID.
Palo Alto Networks has founded several Android apps that offer misinformation about COVID-19 while really spying on users, encrypting their devices and holding them for ransom. We recommend sticking to apps found only on the Google Play store, and for iPhone users, be sure to only download apps from the Apple store as opposed to third parties.
All Types of Attacks
Finally, there are a number of attacks that don’t fall so neatly into the above categories.
- Cloud exposure: Given the rise of remote work during the pandemic, more cloud servers are being targeted, as people are relying on cloud storage more and more.
- Infostealers: More pharmaceutical and healthcare companies plus government agencies have received COVID-related spam emails that deliver AgentTesla malware, which steals their information, along with a RedLine Stealer sample at the URL covid-19-gov.com.
- Diversified mobile exploitation: Even if you buy apps in a device’s legitimate app store, like the Google Play or Apple stores, there’s still a chance that they can be malicious. One hacker, for example, distributed malware to more than 75 percent of the work mobile devices from a major international company.
As of the end of March, the FBI’s Internet Crime Complaint Center (IC3) has received over 1,200 complaints related to COVID-1913. As more and more people work remotely, the chances of being cyber attacked only increase. That being said, the Cybersecurity and Infrastructure Security Agency (CISA), which advises the U.S about online risks, has some advice for individuals14:
- Be wary of links and attachments: If you get an email from someone you don’t know, don’t click on any links or attachments.
- Keep private information private: Avoid putting your personally identifiable information, or PII, in emails, and don’t answer emails that request this information in the first place.
- Authenticate charities: Before you donate to charity online, make sure to verify that the charity is legitimate using one of the FTC’S recommend organizations such as GuideStar or CharityWatch15.
- Use trusted sources: The safest place to get information on COVID-19 is through government websites specifically; look for URLs that end in .gov.
It’s important to secure your employees’ personal devices. Here are a few recommendations from the Center for Internet Security16:
- Patching: It’s important to patch systems against known vulnerabilities, especially if you’re part of a large organization.
- Printers: You may not think of it, but be sure that employees’ printers are securely connected to their networks, and that they shred papers that contain their PII.
- Storage: Employees should store sensitive information on encrypted hard drives for laptops, or external hard drives.
- USB devices: Employees shouldn’t use their own USB devices for work purposes; rather, give them secure USB devices that you’ve reviewed yourself.
- Sharing with others: Even for employees working from home, tell them to make sure their devices are only on when in use and when not in use, are locked away.
Their other, more general tips include:
- Secure video conferencing: Work from home has led to a rise in video conferencing apps like Zoom or Microsoft Teams. Make sure your meetings are password-protected with a different password for every meeting.
- Secure employees’ home networks: Just because a network is at an employee’s personal home does not mean it’s secure. Be sure to have your employees turn on automatic updates for their modems and routers (and replace old ones), turn off WPS (Wi-Fi Protected Setup) and UPnp (Universal Plug and Play), turn on the encryption methods WPA2 or WP3, and give their routers or modems passwords for their firewall.
Are you a parent or part of a family? The FBI compiled some do’s and don’ts to keep your family safe, especially as online school begins in September.
- Monitor your children’s activities online, even their schoolwork.
- Search your children’s names to see what’s available online.
- Research breaches related to the edtech vendor so you know of a security breach right away.
- Buy identity theft protection software for your family.
- Join a coalition of parents or information-sharing group for more support and resources.
- Have your children use their exact names when they make profiles. Instead, use initials, avoid putting their exact birthdays as well as posting photos of them.
Hungry for more information on COVID-19 themed cyber attacks? Here’s what we found:
- In general, cyberattacks have increased by 34 percent from March to April17, with 20 percent of these attacks led by cryptominers.
- 78 percent of email attack vectors dominate 22 percent of web attack vectors.
- The most common malicious file type is Excel files, which make up 42 percent of all malicious files, and email, which came in at 26 percent.
- 80 percent of the observed attacks during COVID used vulnerabilities that had been reported and registered in 2017 at the latest, while over 20 percent of the attacks used vulnerabilities that were at least seven years old.
- By 2021, it’s estimated that cybercrime will hit an annual profit of $6 trillion18.
- 60 percent of breaches had vulnerabilities where patches were available but not applied19.
- 63 percent of companies believe that their data was compromised within the past year due to breaches at the hardware or silicon levels.
- On average, data breaches cost enterprises $3.92 million.
That’s a lot of money. So what are the top causes of data breaches, anyway? Well, according to the Cyber Observer, they are as follows:
- Weak passwords
- Social engineering
- Too many permissions enabled
- Insider threats
- Backdoors and vulnerabilities in applications
- Improperly configured device and user errors.
Compared to individuals, organizations are particularly vulnerable to cyberattacks, as they hold the information of all their customers and employees. During the pandemic, we’ve seen a number of large organizations attacked. The hotel chain Marriott, for example, had a data breach that exposed the data of over five million customers, while car manufacturer Honda had to shut down their worldwide operations after a ransomware attack20. Even the World Health Organization (WHO) wasn’t immune to cyberattacks, no pun intended. During the last week of April, about 450 WHO email addresses and passwords were leaked, many of them belonging to people who worked on COVID-19 relief efforts21. All in all, WHO’s cyberattacks have increased by 500 percent, a troubling number. Equally troubling, by the end of 2021, researchers at the Massachusetts Institute of Technology estimate that cybercrime will cost the world $6 trillion a year. And by August 2020 alone, the FTC estimates that they received more than 172,000 fraud reports related to COVID-19 specifically, which cost Americans $114.4 million in total.
What To Do If You Believe You’re Being Scammed?
If you’ve fallen victim to a COVID-19 scam, the important thing is not to panic. With a few quick steps, you can take back control, while providing key government agencies with the information they need to prevent it from happening to others.
- Contact the Office of the Inspector General: Report the scam to the Office of the Inspector General hotline either by calling 800-447-8488 or by going on their website22.
- Contact law enforcement and the FCC: File complaints with your local police department as well as the Federal Communications Commission (FTC) at fcc.gov/complaints23.
- Report it to the Better Business Bureau and the FTC: To report a scam to the BBB, go their online scam tracker24. With the FTC, go to ftc.gov/complaint.
- Place a fraud alert on your credit report: If you put a fraud alert on your credit report, you’ll be alerted of any changes. This alert lasts for 90 days, but you can extend it to up to seven years. However, note that you’ll need to deal with the three major credit-reporting bureaus, Experian, Transunion and Equifax, separately25.
- Contact your bank: If you’ve lost money, it’s important to report the scam to your bank so they can stop the transaction or even close your account.
- Change your passwords: Create long, new and complicated passwords for all of your accounts, especially the ones that have been compromised. To do so, we recommend using a password manager.
- Talk to someone: Scams can be emotionally taxing, so don’t be afraid to talk to a counselor if need be26.
Have Evidence of a COVID-19 Scam? Email Us!
Along with the FTC, Security.org is collecting national information on COVID-related scams. If you’ve been the victim of a COVID-19 scam, report it to our tracker below or email us directly. Information is power, and the more we know about how COVID-19 scams work, the safer we’ll be online.
Need additional insights for a story?
Send our research team an email