Consumers' and small-business owners' expectations and attitudes toward government communications could make them more susceptible to coronavirus-related cybercrime, new data shows. An overall lack of skepticism combined with a willingness to engage may increase their risk.
It's no secret fraudsters are shifting their strategies to exploit fears related to COVID-19. Since the World Health Organization (WHO) declared a pandemic on March 11, IBM X-Force has seen an increase of more than 6,000% in COVID-19-related spam. Phishing lures aim to manipulate people with impersonations of the Small Business Administration, WHO, and US banks offering relief funds. The FBI's IC3 has also published an advisory warning people of a rise in online extortion scams.
To learn the effectiveness of these scams, IBM Security and Morning Consult polled 2,333 small-business owners and members of the general population in early April. Their "2020 Consumer & Small Business COVID-19 Awareness Study" revealed many people lack an understanding of the ways government officials communicate with the public, as well as resources available to them.
Despite years of warnings from the IRS, law enforcement, and the security community stating the IRS will never email individuals about tax filings, 35% of respondents said this is how they expect to receive IRS communications. One-third expect the same for WHO communications. Overall, 46% expect official information related to COVID-19 to arrive via email. More than half (57%) of small-business owners also expect official virus-related information to arrive via email.
"The one big takeaway from this survey for me is the lack of skepticism and willingness of consumers and small-business owners to engage with emails and the misunderstanding of how they would receive communications," says IBM X-Force threat researcher Ashkan Vila.
The threats are similar for small businesses and consumers alike, Vila explains. Attackers are after credentials and sensitive data, and coronavirus fears make it easy for them to persuade victims with urgency and promises of money. They no longer need to be creative to succeed.
"Before the COVID-19 pandemic, we were seeing spam campaigns that didn't have much of a theme or focus and trying to lure as many people as possible," Vila says. "Now the pandemic has opened up a larger opportunity for cybercriminals to capitalize on people's fears and uncertainty and their desire for information on COVID-19 as things are rapidly changing."
Stimulus checks, which have recently begun to roll out to Americans, are a powerful lure. More than half (52%) of IBM Security's respondents said they would click on links or open attachments related to their stimulus check eligibility. The number is higher among the millions of people now unemployed: Nearly two-thirds (64%) of adults who recently lost their jobs would be most likely to engage with an email related to stimulus relief. IBM X-Force has identified several spam campaigns offering financial relief through stimulus payments, as well as notifications of money transfers.
Emails often include realistic logos and spoofed websites. One mimics an American Express email and offers $2,400 in stimulus relief but requires authentication to claim it. Another spoofs Wells Fargo and offers victims a payment from another customer if they verify their accounts.
The rise in coronavirus-related fraud is worrisome, as data indicates people are likely to fall for it. Nearly two-thirds (65%) of individuals said they feel "very" or "somewhat" comfortable sharing personal information with healthcare services; 64% said the same for banking and insurance firms. Nearly 60% said they feel comfortable sharing data with federal government agencies. These numbers were about the same for small-business owners, IBM researchers report.
Some spam campaigns impersonate the SBA and promise government relief funds to small businesses, nearly 40% of which believe they have been targeted with COVID-19 spam emails. Uncertainty surrounding the availability of small-business loans creates new opportunities for attackers. More than 40% of SMBs said they are unfamiliar with the government's small-business loan program, and more than 60% said they would engage with an email about stimulus relief. For both groups, COVID-19 testing was the next most popular lure they were likely to interact with.
As more people rely on their smartphones for email, it raises the likelihood they'll fall for these attacks, Vila points out. It's tougher to detect spam on your phone because it takes more steps to view email address details, and you can't hover over links to see where they lead.
"The pandemic has filled people with fear and uncertainty on the situation, also making people more susceptible to fall for these threats," he says.
Not the Only Ones At Risk
Consumers and small businesses aren't the only populations seeing an uptick in COVID-19-related cybercrime. Google's Threat Analysis Group (TAG) has identified more than a dozen government-backed attack groups using COVID-19 as bait in phishing and malware campaigns.
One campaign targeted personal accounts of US government employees, using American fast-food franchises as phishing lures. Some promised free meals and coupons in response to the pandemic, while others prompted victims to access websites disguised as online ordering platforms. Those who accessed the websites were asked for their Google account credentials. Most of these emails were sent to spam, Google points out, and users were warned of the threat.
National and international health organizations, as well as the people who work there, are also prime targets. Attackers are capitalizing on these to trick people into downloading malware. Google says it is not seeing an increase in phishing attacks by these government-backed groups – in fact, March brought slightly lower attack numbers – but it is seeing a shift in strategy.
- 8 Phishing Lures Preying on Pandemic Panic
- The Evolving Threat of Credential Stuffing
- How Enterprises Are Attacking the Cybersecurity Problem - 2019
- IBM Cloud Data Shield Brings Confidential Computing to Public Cloud
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Prove Security's Worth in the Age of COVID-19."