Cybercriminals have capitalized on the COVID-19 crisis to exponentially increase their fraudulent activities, according to U.S. government agencies and private internet security firms. Americans who are working from home during the pandemic are particularly vulnerable and should be vigilant about phishing emails containing links to coronavirus-related topics and solicitations for charitable contributions, among other things. Beware the opportunity for cybercrime, especially now.
Federal agencies including the Department of Justice, Department of Homeland Security, and the IRS have issued numerous alerts in the past month warning of an increase in cybercrime. On April 8, 2020, Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a joint warning with the United Kingdom’s National Cyber Security Center (NCSC) outlining a variety of fraudulent activities that have surfaced in connection with the COVID-19 pandemic.
Malicious cyberattackers – most from outside the U.S. – are exploiting the public’s fear and need for reliable information about COVID-19 as an opportunity to deliver malware and ransomware, and to steal user credentials.
DRAMATIC INCREASE IN PHISHING EMAILS
Specifically, cybersecurity agencies are seeing a dramatic increase in email phishing schemes and ransomware attacks that play on victims’ fears and sympathy by masquerading as COVID-19 news about fake cures or solicitations for fraudulent charitable donations to support food banks or the unemployed. Moreover, many of the schemes lead victims to websites with terms like “coronavirus” and “covid” in the URLs, making them seem legitimate.
One of the newest phishing email scams targets Americans who are awaiting their federal stimulus payments, many of which will be deposited directly into taxpayers’ bank accounts. Scammers impersonating major financial institutions are asking victims to verify financial details before their stimulus funds can be deposited.
The email wording is convincing, and a link leads to a “financial institution” landing page that looks authentic. The email claims that the financial institution has placed the funds “on hold” until the user signs in and verifies account ownership. The URL appears to be that of the financial institution, but in fact the victim is on a scam website that is controlled by cybercriminals and is used to steal login credentials. Once a victim “signs in,” the attackers have their login credentials and access to their real bank account.
The wave of cybercrime related to COVID-19 was anticipated by the FBI and other law enforcement agencies based on spikes they have seen after natural disasters and other significant events. But the potential financial damage that can occur from exploiting fears around coronavirus has moved some law enforcement agencies to step in earlier than they normally would in some circumstances. David M. DeVillers, the U.S. Attorney for the Southern District of Ohio, recently announced that the threshold for initiating fraud cases is being ignored for coronavirus-related scams. Usually a minimum fraud cost in the tens of thousands of dollars is considered the benchmark for launching an investigation.
REMOTE WORKERS TARGETED: MAKE CYBERSECURITY A PRIORITY
Besides the usual strategies of phishing emails, malware distribution, and spoofed websites, cybercriminals are specifically targeting people who are working from home.
With millions of Americans working from home during the COVID-19 crisis – and in many cases using personal computers – the security safeguards that usually exist on workplace computers are missing. Email phishing scammers know this and have intensified their efforts to break into company servers.
Many of the emails, which often appear to be sent by WHO or the Centers for Disease Control and Prevention, pretend to offer new information about the coronavirus. If they offer promising information about a vaccine and provide a link, they are phishing schemes, cybersecurity experts warn.
Scammers also are counting on victims being less diligent about suspicious emails and links than they would be if they were working in their professional offices. For instance, a malicious Android app purports to provide a real-time coronavirus outbreak tracker, playing on users’ fears that the virus may be intensifying in their state or city. The app tricks the user into providing administrative access and then installs “CovidLock” ransomware on their device. At that point, the user’s device is locked and a cash ransom may be demanded to get it unlocked.
Cybercriminals also are taking advantage of the massive new distributed workforce to exploit known vulnerabilities in VPNs and other remote working tools and software, such as Citrix, Zoom and Microsoft Teams.
CREDENTIAL THEFT
In many cases, phishing emails are aimed at stealing user credentials. These emails refer to COVID-19 cures or vaccines in order to lure the user in, then lead to a spoofed website if the user clicks on a link. These websites often are designed to look authentic and appear to be trusted sites, but if you key in a password the cybercriminals now have a password that they can use to access you other accounts.
HIGH PROFILE SCAMS
Some of the more well-known COVID-19-related scams that have surfaced in recent weeks include:
- A text message promising free iPhones due to the coronavirus, asking users to click a link.
- Malware spreads to Android phones via a text message that promises to share data about the COVID-19 spread but instead watches you through the smartphone camera and listens using the microphone.
- Text messages promoting payday loans of $5,000, news alerts from a fake news site and a coronavirus-curing CBD oil.
- Various promises of faith healing for COVID-19 sufferers, delivered by smartphone text, email, or websites.
PHONE SCAMS
Scam artists also have been calling taxpayers – particularly the elderly – and trying to get bank account numbers, posing as IRS representatives trying to disburse “recovery rebate” checks authorized by recent legislation.
Most of the recovery rebate payments that the federal government will pay taxpayers in coming weeks will be directly deposited into bank accounts if the IRS has routing numbers and account information already on file. For other taxpayers, paper checks will be sent.
The IRS reminds taxpayers that it will never call or email a taxpayer demanding payment of taxes owed or asking for bank account numbers so it can deposit a refund.
HOW TO PROTECT YOURSELF AND YOUR BUSINESS
- If you are working from home using your personal computer, make sure you have anti-virus security software installed. Consult your company’s IT department for recommendations.
- If your employees are working from home using their personal computers, your company’s data could be at risk. Make sure all employees have anti-virus security software on their computers and that they have been trained in how to avoid phishing scams.
- Think before you click. Slow down. If an email doesn’t look right, delete it. Do NOT click on anything in the email.
- Examine the link. Before you click on a link, try hovering your mouse over it. This will reveal the full address, which can expose signs of fraud. Misspellings in URLs are another good tip-off to a fake website. Don’t assume that a website is legitimate just because its URL starts with “https.” Criminals use encryption, too.
- Don’t open attachments from suspicious emails. They may contain malware.
- Guard financial information. Delete emails asking for account numbers, credit card numbers or wire transfers.
- Turn on auto updates. This goes for your computer, smartphone, and tablets. This will help stop malware.
- Use security tools. Install an anti-virus program on your device and keep it up to date. But keep in mind that these tools aren’t foolproof. You still must use your head.
Try to stay educated on what cybercrime looks like, so it can be caught before hurting you or your business.
REPORTING CORONAVIRUS-RELATED CYBERCRIME
If you receive unsolicited emails, text messages, or social media attempts to gather information that appear to be from either the IRS or an organization closely linked to the IRS, such as the Electronic Federal Tax Payment System (EFTPS), forward it to phishing@irs.gov. See our recent article, “Cybercrime: Business Email is a Common Gateway” for more tips on how to protect your organization from phishing emails.
TIPS TO AVOID BEING A CYBERCRIME VICTIM
CISA encourages individuals to remain vigilant and take the following precautions.
Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information.
Use trusted sources such as legitimate, government websites for up-to-date, fact-based information about COVID-19.Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.
Review CISA Insights on Risk Management for COVID-19 for more information.
ADDRESS CYBERSECURITY RISKS TO PROTECT YOUR BUSINESS
The IT consultants at Barnes Wendling CPAs can analyze your company’s IT environment, assess your security, and create a plan to mitigate risk and protect your business from cybersecurity attacks.
If you are concerned about COVID-19-related cybercrime impacting you or your business, please contact our advisors.
Related Insights
Featured Client Testimonials
BW is a true partner to us. Their knowledge, expertise, and service are a valuable resource to us and play an important role in our success!
John Allen - Vice President of Finance, Kaufman Container
Featured Client Testimonials
I appreciate the exceptional tax advice we received over the years. The (BW team) has a good grasp of our business needs. Thank you for your excellent service.
John Griffiths - Owner, Rae Ann, Inc.
Featured Client Testimonials
Barnes Wendling has been our company accountants for over seven years. Their knowledge has been instrumental in helping us grow strategically during this time. And although we’ve seen many changes in our economy that we cannot control, we’ve always been able to trust the Barnes team to be by our side. The Barnes team feels like family. We can’t thank them enough for their support!
Christine Kloss - Controller, AT&F
Featured Client Testimonials
Barnes Wendling has been our company accountants for over 15 years. During this time, the business has grown exceptionally, and Barnes has kept pace, providing accurate, quality advice. Our finances are more efficient than ever, and the expense of hiring Barnes has been a definite positive add to our bottom line. I give my highest recommendation to their firm.
David Miller, MD - President, Retina Associates of Cleveland
Featured Client Testimonials
Barnes Wendling has provided us guidance and recommendations that have strategically helped strengthen our business and position ourselves for growth. We needed to hire a new VP of Finance and Controller this past year, and they were instrumental in helping us find the best candidates for our company.
Sara Blankenship - President, Kaufman Container
Featured Client Testimonials
We value the trust, accuracy of information, and reliability of Barnes Wendling and Mike Essenmacher personally. Mike has been instrumental as a trusted advisor on accounting, tax, and personnel issues. His advice is always accurate, and he is very reliable. His associates are also very talented.
Dominic Ozanne - President and CEO, Ozanne Construction Company
Featured Client Testimonials
We value Barnes Wendling’s expertise with all things accounting so we can operate our business using our strengths and allowing them to be our experts. They have also brought me a few business sale opportunities to allow me to grow my assets.
John Gaydosh - President and Metallurgical Engineer, Ohio Metallurgical Service
Featured Client Testimonials
Barnes Wendling (especially Lena) did a great job with our financials. Everything. It is extremely refreshing and comforting to know that all of our numbers are not only correct, but they are in the right place(s). Your diligence and reporting truly does make me (personally) feel better.
Thomas Adomaitis - Controller, Bialosky Cleveland
Featured Client Testimonials
I can wholeheartedly tell you that I have yet to work with an audit or tax team that have been more helpful, easy to work with, and committed than the team at Barnes Wendling- I have been through three different firms in the last few years.
Michelle Saylor, Former Controller, Aero Mag
Featured Client Testimonials
Floyd Trouten at Barnes Wendling CPAs is an “expert’s expert” when it comes to M & A accounting. Not only does he understand the evolving details of the Tax Code but he also sees the fine points of their application for owners, managers, investors, and financiers.
Mark A. Filippell, Western Reserve Partners
Featured Client Testimonials
The service is amazing at Barnes Wendling CPAs. The benefit is worth more than the cost. Sometimes it’s true that you get what you pay for.
Mark Boucher - Former Owner, Castle Heating & Air