Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

Why Consumers, SMBs Are Likely to Fall for Coronavirus Scams

Data reveals both a lack of skepticism and a willingness to engage with emails crafted to seem like government communications.

Consumers' and small-business owners' expectations and attitudes toward government communications could make them more susceptible to coronavirus-related cybercrime, new data shows. An overall lack of skepticism combined with a willingness to engage may increase their risk.

It's no secret fraudsters are shifting their strategies to exploit fears related to COVID-19. Since the World Health Organization (WHO) declared a pandemic on March 11, IBM X-Force has seen an increase of more than 6,000% in COVID-19-related spam. Phishing lures aim to manipulate people with impersonations of the Small Business Administration, WHO, and US banks offering relief funds. The FBI's IC3 has also published an advisory warning people of a rise in online extortion scams.

To learn the effectiveness of these scams, IBM Security and Morning Consult polled 2,333 small-business owners and members of the general population in early April. Their "2020 Consumer & Small Business COVID-19 Awareness Study" revealed many people lack an understanding of the ways government officials communicate with the public, as well as resources available to them.

Despite years of warnings from the IRS, law enforcement, and the security community stating the IRS will never email individuals about tax filings, 35% of respondents said this is how they expect to receive IRS communications. One-third expect the same for WHO communications. Overall, 46% expect official information related to COVID-19 to arrive via email. More than half (57%) of small-business owners also expect official virus-related information to arrive via email. 

"The one big takeaway from this survey for me is the lack of skepticism and willingness of consumers and small-business owners to engage with emails and the misunderstanding of how they would receive communications," says IBM X-Force threat researcher Ashkan Vila.

The threats are similar for small businesses and consumers alike, Vila explains. Attackers are after credentials and sensitive data, and coronavirus fears make it easy for them to persuade victims with urgency and promises of money. They no longer need to be creative to succeed.

"Before the COVID-19 pandemic, we were seeing spam campaigns that didn't have much of a theme or focus and trying to lure as many people as possible," Vila says. "Now the pandemic has opened up a larger opportunity for cybercriminals to capitalize on people's fears and uncertainty and their desire for information on COVID-19 as things are rapidly changing."

Stimulus checks, which have recently begun to roll out to Americans, are a powerful lure. More than half (52%) of IBM Security's respondents said they would click on links or open attachments related to their stimulus check eligibility. The number is higher among the millions of people now unemployed: Nearly two-thirds (64%) of adults who recently lost their jobs would be most likely to engage with an email related to stimulus relief. IBM X-Force has identified several spam campaigns offering financial relief through stimulus payments, as well as notifications of money transfers.

Emails often include realistic logos and spoofed websites. One mimics an American Express email and offers $2,400 in stimulus relief but requires authentication to claim it. Another spoofs Wells Fargo and offers victims a payment from another customer if they verify their accounts.

The rise in coronavirus-related fraud is worrisome, as data indicates people are likely to fall for it. Nearly two-thirds (65%) of individuals said they feel "very" or "somewhat" comfortable sharing personal information with healthcare services; 64% said the same for banking and insurance firms. Nearly 60% said they feel comfortable sharing data with federal government agencies. These numbers were about the same for small-business owners, IBM researchers report.

Some spam campaigns impersonate the SBA and promise government relief funds to small businesses, nearly 40% of which believe they have been targeted with COVID-19 spam emails. Uncertainty surrounding the availability of small-business loans creates new opportunities for attackers. More than 40% of SMBs said they are unfamiliar with the government's small-business loan program, and more than 60% said they would engage with an email about stimulus relief. For both groups, COVID-19 testing was the next most popular lure they were likely to interact with.

As more people rely on their smartphones for email, it raises the likelihood they'll fall for these attacks, Vila points out. It's tougher to detect spam on your phone because it takes more steps to view email address details, and you can't hover over links to see where they lead.

"The pandemic has filled people with fear and uncertainty on the situation, also making people more susceptible to fall for these threats," he says.

Not the Only Ones At Risk
Consumers and small businesses aren't the only populations seeing an uptick in COVID-19-related cybercrime. Google's Threat Analysis Group (TAG) has identified more than a dozen government-backed attack groups using COVID-19 as bait in phishing and malware campaigns.

One campaign targeted personal accounts of US government employees, using American fast-food franchises as phishing lures. Some promised free meals and coupons in response to the pandemic, while others prompted victims to access websites disguised as online ordering platforms. Those who accessed the websites were asked for their Google account credentials. Most of these emails were sent to spam, Google points out, and users were warned of the threat. 

National and international health organizations, as well as the people who work there, are also prime targets. Attackers are capitalizing on these to trick people into downloading malware. Google says it is not seeing an increase in phishing attacks by these government-backed groups – in fact, March brought slightly lower attack numbers – but it is seeing a shift in strategy.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Prove Security's Worth in the Age of COVID-19."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.