Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

Why Consumers, SMBs Are Likely to Fall for Coronavirus Scams

Data reveals both a lack of skepticism and a willingness to engage with emails crafted to seem like government communications.

Consumers' and small-business owners' expectations and attitudes toward government communications could make them more susceptible to coronavirus-related cybercrime, new data shows. An overall lack of skepticism combined with a willingness to engage may increase their risk.

It's no secret fraudsters are shifting their strategies to exploit fears related to COVID-19. Since the World Health Organization (WHO) declared a pandemic on March 11, IBM X-Force has seen an increase of more than 6,000% in COVID-19-related spam. Phishing lures aim to manipulate people with impersonations of the Small Business Administration, WHO, and US banks offering relief funds. The FBI's IC3 has also published an advisory warning people of a rise in online extortion scams.

To learn the effectiveness of these scams, IBM Security and Morning Consult polled 2,333 small-business owners and members of the general population in early April. Their "2020 Consumer & Small Business COVID-19 Awareness Study" revealed many people lack an understanding of the ways government officials communicate with the public, as well as resources available to them.

Despite years of warnings from the IRS, law enforcement, and the security community stating the IRS will never email individuals about tax filings, 35% of respondents said this is how they expect to receive IRS communications. One-third expect the same for WHO communications. Overall, 46% expect official information related to COVID-19 to arrive via email. More than half (57%) of small-business owners also expect official virus-related information to arrive via email. 

"The one big takeaway from this survey for me is the lack of skepticism and willingness of consumers and small-business owners to engage with emails and the misunderstanding of how they would receive communications," says IBM X-Force threat researcher Ashkan Vila.

The threats are similar for small businesses and consumers alike, Vila explains. Attackers are after credentials and sensitive data, and coronavirus fears make it easy for them to persuade victims with urgency and promises of money. They no longer need to be creative to succeed.

"Before the COVID-19 pandemic, we were seeing spam campaigns that didn't have much of a theme or focus and trying to lure as many people as possible," Vila says. "Now the pandemic has opened up a larger opportunity for cybercriminals to capitalize on people's fears and uncertainty and their desire for information on COVID-19 as things are rapidly changing."

Stimulus checks, which have recently begun to roll out to Americans, are a powerful lure. More than half (52%) of IBM Security's respondents said they would click on links or open attachments related to their stimulus check eligibility. The number is higher among the millions of people now unemployed: Nearly two-thirds (64%) of adults who recently lost their jobs would be most likely to engage with an email related to stimulus relief. IBM X-Force has identified several spam campaigns offering financial relief through stimulus payments, as well as notifications of money transfers.

Emails often include realistic logos and spoofed websites. One mimics an American Express email and offers $2,400 in stimulus relief but requires authentication to claim it. Another spoofs Wells Fargo and offers victims a payment from another customer if they verify their accounts.

The rise in coronavirus-related fraud is worrisome, as data indicates people are likely to fall for it. Nearly two-thirds (65%) of individuals said they feel "very" or "somewhat" comfortable sharing personal information with healthcare services; 64% said the same for banking and insurance firms. Nearly 60% said they feel comfortable sharing data with federal government agencies. These numbers were about the same for small-business owners, IBM researchers report.

Some spam campaigns impersonate the SBA and promise government relief funds to small businesses, nearly 40% of which believe they have been targeted with COVID-19 spam emails. Uncertainty surrounding the availability of small-business loans creates new opportunities for attackers. More than 40% of SMBs said they are unfamiliar with the government's small-business loan program, and more than 60% said they would engage with an email about stimulus relief. For both groups, COVID-19 testing was the next most popular lure they were likely to interact with.

As more people rely on their smartphones for email, it raises the likelihood they'll fall for these attacks, Vila points out. It's tougher to detect spam on your phone because it takes more steps to view email address details, and you can't hover over links to see where they lead.

"The pandemic has filled people with fear and uncertainty on the situation, also making people more susceptible to fall for these threats," he says.

Not the Only Ones At Risk
Consumers and small businesses aren't the only populations seeing an uptick in COVID-19-related cybercrime. Google's Threat Analysis Group (TAG) has identified more than a dozen government-backed attack groups using COVID-19 as bait in phishing and malware campaigns.

One campaign targeted personal accounts of US government employees, using American fast-food franchises as phishing lures. Some promised free meals and coupons in response to the pandemic, while others prompted victims to access websites disguised as online ordering platforms. Those who accessed the websites were asked for their Google account credentials. Most of these emails were sent to spam, Google points out, and users were warned of the threat. 

National and international health organizations, as well as the people who work there, are also prime targets. Attackers are capitalizing on these to trick people into downloading malware. Google says it is not seeing an increase in phishing attacks by these government-backed groups – in fact, March brought slightly lower attack numbers – but it is seeing a shift in strategy.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Prove Security's Worth in the Age of COVID-19."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.