To stop the spread of the coronavirus, millions of people are staying home, working from home, wearing masks when they go outside, and washing their hands frequently for at least 20 seconds. Unfortunately, those techniques won't protect you against the scammers that are following in the wake of the global COVID-19 pandemic. For that, you'll need different strategies to spot scams and protect yourself before the scammers can attack.
The IRS Giveth, Scammers Taketh Away
In the US, the federal government has designated significant funds for companies and individuals affected by COVID-19. This links up money and fear; the two primary tools of scammers.
Because the IRS is handling the dispersal of payments from the CARES act, it's safe to assume that many scammers will recycle their tried-and-true tax scams. As with tax-season scams (which are now still in season until July), the method of delivery is usually the easiest tell. With rare exception, the federal government communicates with the populace via USPS. You won't receive a text message, email, phone call, and especially not a social media or WhatsApp message from the IRS asking for money, during tax-filing season or otherwise.
From the IRS website, here's a list of actions the agency says it will not do:
-Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail a bill to any taxpayer who owes taxes.
-Demand that you pay taxes without the opportunity to question or appeal the amount they say you owe. You should also be advised of your rights as a taxpayer.
-Threaten to bring in local police, immigration officers, or other law-enforcement to have you arrested for not paying. The IRS also cannot revoke your driver’s license, business licenses, or immigration status. Threats like these are common tactics scam artists use to trick victims into buying into their schemes.
One theme that runs through all these tactics is urgency. Scammers seek to short-circuit your better judgment by setting time limits or severe consequences. The bad guys may claim that you must act quickly to receive money or bully you into acting fast to give them money. They may also claim that police, immigration, or some other implied threat of violence is involved. All of these are designed to prevent you from taking the time to think about what's being asked, and to stop you from verifying the facts. The fast-moving, confusing disaster of COVID-19 has made it all the harder to hold onto reality, which works to the scammer's advantage.
While tax scams are the likeliest template for coronavirus payment scams, the IRS has a list of other possible scams. One of the biggest tipoffs? The real IRS won't call it a "stimulus" or a "bailout." Below are other things to watch out for, from the IRS website.
The IRS reminds taxpayers that scammers may:
-Emphasize the words "Stimulus Check" or "Stimulus Payment." The official term is economic impact payment.
-Ask the taxpayer to sign over their economic impact payment check to them.
-Ask by phone, email, text or social media for verification of personal and/or banking information saying that the information is needed to receive or speed up their economic impact payment.
-Suggest that they can get a tax refund or economic impact payment faster by working on the taxpayer's behalf. This scam could be conducted by social media or even in person.
-Mail the taxpayer a bogus check, perhaps in an odd amount, then tell the taxpayer to call a number or verify information online in order to cash it.
Unfortunately, no amount of clever investigating may be enough to protect your IRS payment. The New York Times reports that, because the IRS requires so little information to hijack economic impact checks, "[...] criminals have used people’s Social Security numbers, home addresses and other personal information—much of which was available online from past data breaches—to assume their identities and bilk them out of their stimulus checks and unemployment benefits."
This kind of attack is made possible by the innumerable data breaches of the last decade. The people who steal the data don't always use it themselves. Instead, they sell the data on Dark Web marketplaces where it may be combined with other stolen information from other data breaches. Eventually, an attacker can amass the necessary information needed to impersonate you.
Even if you're certain that the IRS has the necessary information to send your payment, take a minute to check your payment status on the official IRS tracker. That could provide some warning if a scammer has already absconded with your COVID-19 cash. Be absolutely sure that you're on the correct website before entering your information.
Beware Emails Bearing Gifts
While the IRS has been proactive in warning against economic impact payment scams, that might not (yet) be the biggest threat. “Considering the attention the US CARES legislation has received, it would be surprising if criminals weren't planning on taking advantage of individual interest and what appear to be lax verification requirements on behalf of the IRS," Sophos Principal Research Scientist Chet Wisniewski told PCMag.
"To date, we are not seeing any spam or virus payloads exploiting this, but we will continue to monitor the situation and get the word out if that changes."
That doesn't mean there aren't dangerous scams using COVID-19 as a cover. In fact, it seems like many scammers are doing so. Google recently reported that it is blocking 18 million bogus coronavirus-related emails per day. Google gave examples of some of the scams it had blocked. Some were posing as managers, referring employees to work-from-home information that was really a malicious link. Others referenced economic impact payments and urged recipients to open an attached, malicious file.
Google recommends avoiding unfamiliar or unexpected files directly to your computer and instead use the built-in document viewer. The company also urged people to look very carefully at the email domain (that's what comes after the @-sign in an email address) to make sure it's legit. There's a big difference between [email protected] and [email protected]
The email security company GreatHorn put the staggering sum of scam emails into context. The company's research shows that, during the first half of April, 2.4 percent of the 1.4 billion emails analyzed were related to COVID-19. Of those COVID-19 related emails, 36.6 percent were scams.
Phony Pharmacies and Other Scams
It's easier to sell a fake product or successfully phish someone if your scam has a place to live. That may be partly why there's been a surge in coronavirus related URLs.
On April 20th, the security company Check Point reported that 68,000 coronavirus domains were registered since January and 16,989 alone registered in the first two weeks of April. Of those April registrants, 2 percent were confirmed malicious and another 21 percent suspicious.
Scammers can use these URLs to appear more legitimate. People may be more likely to trust a relevant appearing URL than a random string of letters and numbers. Notably, Check Point reports that coronavirus-related URL registrations were 3.5 times larger the week economic impact payments were announced.
Importantly, not all of the coronavirus URLs are dangerous. A charity might want a relevant URL to help in fundraising. Palo Alto Networks points out that some may simply be investments—relevant names quickly snatched up in the hopes of selling them for a profit. That's shady but not illegal. More questionable were a cluster of sites peddling coronavirus ebooks.
"We found a group of websites building on peoples’ already existing fears of coronavirus and trying to scare them further into buying their ebook," Palo Alto Networks wrote in the company's report. "First, they play a disturbing video about the scariest situations and events related to coronavirus, then they advertise the book as the key to survive this pandemic." The company notes that some customers who purchased the book complained that they had not received the product.
What's on those truly dangerous URLs? In its report, Palo Alto Networks found some new twists on old classics. Some sites simply carried malicious payloads, fake tech support scams, and storefronts designed to siphon off your credit card information. Others were more contemporary and insidious. "A significant fraction of them are used for both well-known malicious activities as well as for fraudulent shops selling items in short supply."
Some sites may have coronavirus in the URL, but are peddling something entirely different. "While the domain names suggest that these stores sell remedies for coronavirus, they mainly advertise Viagra and other drugs unrelated to the virus." Palo Alto Networks notes that drugs purchased from questionable online sources may not be the same as the real deal, and could be sold at unsafe dosages.
When trying to spot a dangerous site, Palo Alto Networks suggests watching out for grammatical errors and pages stuffed with relevant keywords. Another tell? Sites that lack an address or phone number, but do include a WhatsApp number.
Trust, But Verify
The X-Files implored us to "trust no one," but I prefer the Cold War motto "trust, but verify." Paranoia isn't helpful, but you should carefully consider any information you receive before you act on it.
How to verify information in the era of fake news is another matter, but at least in the realm of IRS scams, there's a good place to start: the official IRS website www.irs.gov. Scammers may provide email addresses, URLs, or phone numbers in their messaging. Don't use these unless you can compare them exactly to contact information on the IRS website. If the scammers are claiming to be from another agency or a bank, find that organization's official website and check the contact information. If it doesn't match, reach out through official channels anyway. That way you can be sure you're correct, and report the phishing attempt.
If you are on the receiving end of an economic impact payment scam, the IRS has an entire process for reporting it and resources available to help you ID a scam. You can also reach the agency by phone, although I imagine the wait times from the double whammy of COVID-19 and extended tax filing season will be extensive. I recommend putting the phone on speaker mode, getting some snacks, and watching some Netflix while you wait.
All this is true for other coronavirus-related schemes. If you receive unexpected emails or text messages with calls to action or attached files, be extra careful. If it's from someone you know, reach out to them through a different method and verify that what you received is legitimate.
Be aware that scammers are very good at picking out URLs that appear legit and even better at building convincing phishing sites. In my work testing the anti-phishing protection of various products, I've used real, live phishing sites. Some of them are laughably bad, but just as many are scarily accurate. Look for HTTPS at the start of the URL or a lock icon next to the URL. This isn't foolproof, but it's a start. Then look at the rest of the URL. Are there any misspellings? Are there several dots in the domain name, making .com look more like .com.au.ru? These are all signs that the site is not on the up and up. For more on how to sidestep this particular type of threat, please read How to Avoid Phishing Scams.
Scammers will seek to prevent you from verifying basic information, usually with threats or frantic deadlines. For IRS-related scams, this is a major red flag, since the US government moves at a geologic pace. This is also true of most financial institutions, creditors, and so on. If you receive a communication from any authority or agency demanding immediate action, respond with immediate suspicion.
Apply this same tactic in other contexts as well. A scammer will want you to act first and think later, whether it’s getting you to click on a malicious link or buy a bogus coronavirus cure. It always pays to take the extra time to validate the claims you receive, even if it takes extra time because of the confusion and emotional stress brought on by this pandemic.
Prepare for the Worst
The coronavirus pandemic is a global disaster unlike anything in recent history. So, it's unreasonable to expect yourself to be making the best decisions. Staying vigilant against scammers requires cool-headed thinking that's in short supply at a time of devastation, misinformation, and mixed messaging from governments. Be generous to yourself when you make mistakes.
Importantly, assume that you will make mistakes, so take precautions against those mistakes. First and foremost, listen to warning messages. Your browser and many email platforms have built-in phishing protections, and most do a great job. If you see a warning pop up saying that a site or attachment is dangerous—and you know the warning is real—heed it.
On your home computer, install antivirus software and keep it up to date. We have reviewed many worthy products for Windows and Mac machines. There are free options, too. Even if you are excellent at spotting online dangers, security software is there as a backup. It may also do a better job stopping a new, novel threat before it can do damage.
A lot of scam activity is geared toward account takeovers. You can protect against bad guys snagging your online accounts by using a unique, complex password for each and every website and service you use. If you reuse passwords on different sites, one compromised site could mean an attacker gains access to every other site where you reused the password. A password manager can generate and replay strong passwords, taking the burden off of your shoulders. I also recommend using a password manager that syncs your logins between devices, although your trust of the cloud may vary from mine.
Finally, enable two-factor authentication on any site or service that offers it. This enables additional steps in the login process that make it infinitely harder to hijack the account, even when the bad guy has a valid username and password. You can opt for a free app to serve as your authenticator, a hardware key, or some other scheme. Avoid SMS authentication, but it will do in a pinch.
In the last two months, we've all learned some simple but critical new skills: how to make a mask out of an old T-shirt, how to count 20 seconds of hand washing, and how to eyeball six feet of social distance, to name just a few. You can ward off another whole batch of COVID-19 threats just by learning the digital security skills needed to spot scams—skills that will serve you well after the pandemic, too.
Further Reading
- How to Kick Your Kids Off the Wi-Fi
- How to Rid a New PC of Crapware
- How to Set Up and Use a VPN
- How to Avoid Phishing Scams
- More in Security
Security Reviews
- Spybot - Search & Destroy +AV Home Edition
- Kaspersky Password Manager
- Avira Free Security
- Surfshark VPN
- 1Password