Scammers continue to take advantage of the COVID-19 pandemic, using different models and increasingly sophisticated tactics, creating challenges in both fraud detection and prevention. Now is the time to ensure the public stays informed and alert, not only to the risks of the virus but also to ensure they don't become victims of fraud themselves.
In April, the National Cyber Security Centre, part of the GCHQ intelligence agency, launched a new suspicious email reporting service, as scams linked to COVID-19 escalated.
This allows the public to forward likely scam emails (to email@example.com), with the service removing or blocking criminal sites. In May, NCSC said that in the two weeks since the launch, people in the UK had flagged over 160,000 dubious emails and as a result, more than 300 fraudulent websites had been taken down.
Meanwhile, research from ProPrivacy (in partnership with VirusTotal and WHOIS XML) found that around 1,200 COVID-19 domains are being registered daily and that some 25% are either malicious or suspicious and Citizens Advice has said its research showed that one in three people had been targeted by scammers since the lockdown began.
Types of scam
Scammers have shown they are quick to react to changing situations, with their scams including:
- Initially, a raft of fake online shops purporting to sell items that were in short supply such as face masks and hand sanitiser and now increasingly, for coronavirus test kits
- A move to phoney sites claiming to offer access to government relief schemes and welfare benefits
- Numerous phishing sites seeking personal information, which typically have tips on avoiding being infected with COVID-19. These may claim to have details on company employees or students and encourage victims to enter their details to see such names
- Sites that seek ‘money mules’ – these may state that people are being sought to ‘process’ donations for a COVID-19 relief fund, with a payment made in return for this. However, this is a cover for money laundering.
Track and trace provides opportunities
Criminals are now also trying to take advantage of the NHS test and trace service. It is reported that scammers are making fake calls and sending bogus emails and text messages.
The legitimate NHS service also uses these three channels to contact people, but never asks for any payment or bank details. The warning about these activities came from the Local Government Association, which said councils had been told that fraudsters were telling people they were part of the test and trace service and asking for bank card details to pay for a COVID-19 home testing kit, even though the kits are free of charge.
There are reports too that some criminals have been calling at homes pretending to be NHS contact tracers, and offering to carry out virus tests, in bids to gain access and steal goods. Fraud prevention service Cifas said people have to stay vigilant and be aware that this was not something the genuine service offered, adding that the NHS would never ask for bank details or payments should a call be made or ask people to set up a password or PIN number over the phone. Further, they would not ask anyone to call them back on a premium rate number, such as those starting with 09 or 087.
Hacking via Bluetooth
Cifas also said because many continue to work from home, that criminals are also trying to hack devices using Bluetooth so they can gather data with the aim of sending spam or bugging devices. It warned people to avoid using Bluetooth to communicate information such as passwords and sensitive documents and to encrypt before making transfers. Users should only leave Bluetooth in ‘discoverable’
mode if pairing with their device, and remember to turn it off when not being used. As Nick Downing, chief intelligence officer for Cifas, commented:
“Months after lockdown started, we still see criminals targeting homeworkers and preying on people’s fear and anxieties over coronavirus. Fraudsters are continually changing their tactics, and so people need to stay alert and always be cautious when buying products online or responding to unsolicited emails and texts.
If risk managers learn one lesson from COVID-19, it’s that business resiliency needs to be top of mind if their organisations are to withstand the pressure of events to come. Take a look at the new Recovery@Riskonnect resource hub which offers tools to help you rebuild in the wake of the pandemic and prepare for the future: