Coronavirus (COVID-19) Fraud: What to Look For and How to Protect Yourself

Categories : Coronavirus

Types : Alerts

Unfortunately, times of natural disaster and national crisis breed fraudulent schemes that prey upon the fear and vulnerability of others. The current coronavirus pandemic is no exception. Over the past few weeks, cybersecurity experts and federal agencies such as the Department of Justice (“DOJ”), the Federal Bureau of Investigation (“FBI”), the Federal Trade Commission (“FTC”), the Securities and Exchange Commission (“SEC”), and the U.S. Postal Inspection Service (“USPIS”) have issued warnings to Americans regarding phishing scams and other coronavirus-related fraudulent schemes designed to shutter computer networks and fleece individuals of their resources by stealing personal data such as credit card numbers, bank account information, and social security numbers. One cybersecurity researcher reported that between March 14^th and 18^th, hackers created more than 3,600 new domains containing the term “coronavirus” and it appears that cybercriminals show no signs of slowing down as more and more of us are relegated to working and interacting nearly exclusively through electronic means.

What Does Coronavirus-Related Fraud Look Like?

Like with ordinary phishing scams, scammers send emails or text messages claiming to be from legitimate organizations offering important information or the opportunity to buy a desired product. These messages instruct recipients to open an attachment or click on a link to see data about the coronavirus, read about a “new vaccine”, purchase “virus test kits”, or donate to “charitable organizations”. These messages may appear on their face to be legitimate, but in reality, clicking on the attachment or link can result in malicious software (“malware”) being downloaded onto your device, allowing cybercriminals to take control of your computer, crash your company’s network, or access your personal information and financial data.

For example, phishing emails designed to appear as if they are from the Centers for Disease Control (“CDC”) or the World Health Organization (“WHO”) have been sent with links claiming to list coronavirus cases in the recipient’s area. Similarly, scammers are sending text messages with a link purporting to give access for people to claim emergency money for groceries due to the coronavirus outbreak. Cybercriminals have developed phony “coronavirus tracker apps” targeting Android phones. If downloaded, these apps install ransomware that lock users’ devices. Likewise, fraudsters are targeting corporate email accounts by posing as the Human Resources Department and instructing users to click on a link to read the company’s new “Communicable Disease Management Policy”.  In reality, clicking the link could lead to the shutdown of the company’s entire computer network.

Schemers are also taking advantage of the coronavirus pandemic to lure investors into financial scams. The SEC warns investors that fraudsters are using “internet promotions, including on social media, claiming that the products or services of publicly-traded companies can prevent, detect, or cure coronavirus and that the stock of these companies will dramatically increase in value as a result.”  In these “pump-and-dump” schemes, scammers “pump”, or increase, the stock price of a company by spreading positive, but false, rumors causing investors to purchase the stock. Then, they quickly “dump” their own shares before the hype ends, and after they profit from their sales, the stock price drops and the remaining investors lose money. The SEC warns that “microcap stocks”—low-priced stocks issued by the smallest companies—are particularly vulnerable to fraudulent investment schemes.

Cyber Crime Laws and the Federal Government’s Response

These types of schemes violate federal law and the participants in these schemes can be prosecuted and subjected to significant penalties. Individuals who engage in phishing schemes by sending fraudulent emails to obtain bank account numbers and passwords can be prosecuted for Access Device Fraud, in violation of 18 U.S.C. § 1029, which is punishable by up to 15 years in prison. Hackers who gain access to computers and send commands that delete files, shut computer systems down, or install malware on these computer systems can be prosecuted for Damaging a Computer or Information, 18 U.S.C. § 1030(a)(5), which is punishable by up to 10 years’ imprisonment. Victims of such acts also have a right to sue the perpetrators in court to recover any monetary damages they have sustained under the Computer Fraud and Abuse Act, 18 U.S.C. §§ 1030, et seq. Individuals who send large amounts of unsolicited commercial email, or spam, in which they take steps to hide their identity from recipients, ISPs, or law enforcement, can be prosecuted under the CAN SPAM Act, 18 U.S.C. § 1037, which carries a maximum term of three years’ imprisonment. Finally, virtually any of these internet coronavirus schemes can be prosecuted as Wire Fraud, in violation of 18 U.S.C. § 1343, which carries a maximum penalty of up to 20 years’ imprisonment.

United States Attorneys across the country, including William M. McSwain, the U.S. Attorney for the Eastern District of Pennsylvania, and Scott Brady, the U.S. Attorney for the Western District of Pennsylvania, have warned that “fraudsters and hackers should pay particular attention, as [their] Office[s] will not tolerate any shameful exploitation of the virus to turn an illegal profit.” Likewise, federal agencies are working to prevent and detect coronavirus-related fraud. Recently, the FTC and FDA issued joint warning letters to seven sellers of unapproved and misbranded products unlawfully purporting to treat or prevent the coronavirus.

How to Protect Yourself

We want you to remain informed and vigilant in protecting yourself from falling victim to fraud as you focus on keeping yourself and your families safe and healthy. Therefore, here are some tips from the experts to help you keep the scammers at bay:

• Do not click on links from sources you do not know. They could download viruses onto your computer or device.
• Do not give your financial information to anyone who you do not know or trust.
• Delete emails claiming to be from the CDC or experts saying they have information about the virus. Instead, for the most up-to-date information about the coronavirus, visit the CDC’s or the WHO’s websites directly.
• Pay close attention to email addresses and links, particularly when reading an email on a mobile device. If they do not already do so, employers should consider using tools which display messages such as “Caution: External Email” on all external emails sent to employees’ corporate email accounts. These warnings alert users that the sender may be impersonating an employee and potentially making fraudulent requests of them. Contact the supposed sender via their corporate email address or a known telephone number for confirmation before acting on any request.
• Look for spelling and grammatical errors and generic greetings which are common red-flags in phishing emails and text messages.
• Ignore online offers for vaccinations. Currently, there are no vaccines, pills, potions, lotions, lozenges, or other products available to treat or cure coronavirus.
• Research an organization before donating. Resist pressure tactics and do not respond to emails or text messages asking for an immediate donation in cash, by gift card, or by wiring money.
• Beware of claims that a company’s products or services can help stop the coronavirus, especially claims that involve microcap stocks. Always research a company before investing.

If you or someone you know has been the victim of a coronavirus-related scam, please report it to the FBI or the FTC.  If the scam is internet-related, report it to the FBI’s Internet Crime Complaint Center.  If the scam involves the United States Mail, report it to the United States Postal Inspection Service, and if the scam involves securities fraud, report it to the SEC.

As a full-service law firm, Montgomery McCracken has attorneys with expertise in Data Privacy and Cybersecurity and White Collar and Government Investigations who are available to advise you and your organization if it appears that your network may have been compromised by a coronavirus scam or unauthorized intrusion or exfiltration. Please feel free to reach out to us for assistance. Montgomery McCracken’s COVID-19 Resource Center is available here.