While COVID-19 scams are nothing new, the recent surge of new cases presents a fresh coat of paint for threat actors to modify pandemic-related scams with new narratives focused on vaccine passports, vaccination mobile apps, travel policy changes, COVID-19 financial relief and returning to the office/school.
With the recent surge on COVID-19 cases due to the Delta variant, there is a growing state of confusion on the changing recommendations and requirements from the federal government, public health officials and private business, which is opening the doors for scammers to continue to capitalize on the pandemic for financial gain.
We know that software solutions and cybersecurity education are standard process now in most organizations, especially since the shift to remote work accommodations – but a friendly reminder never hurts, because as we have all seen, it only takes one email and click to have devastating effects. Some of the latest angles scammers are using include vaccine passports, malicious websites, new financial relief and returning to the office/school.
COVID-19 Vaccine Passport Fraud
Since the vaccine was introduced, there have been several reports of fraudulent vaccine cards being sold to non-vaccinated individuals who were concerned not having proof would prevent them from travel or activities. The search for fake vaccine cards is only heating up as multiple universities are requiring students to be vaccinated, as well as several countries requiring vaccinations for travel, including Canada, who recently fined a couple who used fake cards $16,000 each.
Simple way to avoid this scam… avoid websites or individuals that sell vaccine cards. Not only is this illegal, but chances are the website is malicious and a channel for threat actors to attack. If you have questions about vaccine passport or proof requirements, your best bet is is to contact your state or local government through their official website or phone number.
COVID-19 Vaccine Mobile Apps
Perhaps the most aggressive vaccine passport initiative occurred last week when New York announcing proof of vaccination being required for daily activities including dining out and health clubs. Along with the announcement of the upcoming requirement, came the introduction of two mobile apps that individuals can use for a digital vaccine passport, Excelsior Pass and NYC Covid Safe. The introduction of vaccine apps will undoubtedly result in several malicious apps being introduced that can contribute to cyber incidents through mobile malware. As always when downloading a mobile app, use best practices to ensure you are downloading a verified and secure app, such as:
- Only downloading apps from verified stores such as Google Play and Apple’s app store. Although, remember many malicious apps appear on these even for just a short amount of time before being pulled.
- Review the content ratings and download volume, if you see an app with poor ratings or a new app with a handful of downloads, chances are you should avoid downloading.
- Be aware of what permissions you provide apps – many apps, even legitimate ones, default to nearly full control of your phone and data. You are able to modify these settings in most cases and if you think something is not right, follow your gut instinct.
- Check the vendor, is this a brand or company that you know, or is there background questionable or non-existent? If so, avoid.
COVID-19 Malicious Websites
With the country and international traveling reopening over the last few months, many people are understandably visiting travel sites including airlines, cruise lines and hotels/resorts for information on COVID-19 policies and requirements. As the second surge increases, chances are volume to these sites will only increase with people concerned about booked trips or looking to book at cheaper rates. No matter what camp you are in, you can keep your guard up and information secure by utilizing the same cybersecurity best practices you should be using online every day, including:
- Verify you are on the actual website of the company/business by using the full URL provided on their marketing materials. Many imposter websites are setup to mirror legitimate sites and exist to simply steal your personal and financial information.
- Avoid googling or clicking ads for websites if you can, if all else fails you can call the number on marketing materials to verify you are on the right site.
- If somebody randomly calls, emails or texts you with information on COVID-19 updates, hang up or delete without clicking – scammers know many people are planning travel and have modified their phishing/smishing/vishing campaigns to capitalize on the uncertainty.
- Remember the adage, if it’s too good to be true, it probably is. Keep this in mind when surfing for the best prices, chances are if you find an unbeatable deal you are being setup.
COVID-19 Financial Relief Scams
As the government introduced a number of COVID-19 stimulus packages, threat actors used the angst around these to target people through phishing, smishing and vishing campaigns. Fraudulent communications requesting personal information (social security numbers, credit card numbers, bank accounts, etc.) under the guise of COVID-19 themes have flooded our inboxes and phones since the pandemic began.
While these contain all the red flags that we are trained to spot including requesting private information, pushing a sense of urgency, and typos that are easily spotted, the anxiety surrounding the financial aspects of the pandemic is surging with the start of Child Tax Update, the federal foreclosure moratorium and student loan deferral extensions and the endless articles speculating new stimulus payments for clickbait. Remember, always be suspicious of unsolicited communications in any form requesting personal information, no matter what the message is about.
COVID 19 Return to the Office/School
While organizations have hammered the importance of cybersecurity (at least we hope) to their remote team members through the pandemic, the impact the COVID-19 surge is having on return to office plans has opened up a new door for threat actors. Many of us are expecting communications from our leadership on updates to policies and returning to the office, as well as a large portion who are most likely job searching on their employer’s devices with the economic upswing or in response to employers forcing a full-time return to the office. Regardless of your employees’ reasons, we encourage you to protect your organization by reminding your team of email cybersecurity best practices, including:
- Utilize security software solutions and multi-factor authentication, as well as forcing updates to computers and company-connect phone and tablet devices. These pre-emptive steps can prevent threats from even getting to your employees.
- Be wary of any communications asking for personal or sensitive information, while the request may even sound a bit normal, this could be part of large spear-phishing campaign where threat actors are gathering information to go after a high-profile target.
- Watch out for phishing emails that have an urgent call-to-action to click, this can also include urgent emails disguised from company leadership such as an email to “click here immediately for an update on our work from home policy”.
- Avoid downloading any attachments that seem unusual or you are not expecting, in the virtual environment this can also mean attachments sent via collaboration platforms including Teams and Slack.
- Remember if you get a suspicious email from somebody representing your employer or organizations, you can always call them to verify if it was real.
These same attacks are also targeting parents and college students who are anxiously awaiting information for back-to-school policies, especially now with many college campuses announcing campus vaccination requirements. So to our parents and students out there, follow these same steps to help keep your personal information and network secure.
With all the uncertainty we face as the different COVID-19 varients are seemingly placing the return to normal a few steps backwards, the one certainty is that threat actors will continue to exploit the COVID-19 pandemic for financial gain. Remember, while the themes and narratives may change, their strategies and warning signs are mostly the same – so stay diligent and safe out there!
COVID-19 Federal Resources
- FBI COVID-19 Pandemic Resource Page www.fbi.gov/coronavirus
- FTC COVID-19 Pandemic Resource Page www.ftc.gov/coronavirus
- FTC Consumer Advice for Consumers www.ftc.gov/coronavirus/scams-consumer-advice
- FTC Poster – Avoid COVID-19 Scams www.ftc.gov/system/files/attachments/coronavirus-covid-19-pandemic-ftc-action/keep_calm_infographic_en_letter_508.pdf
- FTC Video – Avoid COVD-19 Stimulus Payment Scams www.consumer.ftc.gov/media/avoid-covid-19-stimulus-payment-scams
Related Articles
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind