Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

Why Consumers, SMBs Are Likely to Fall for Coronavirus Scams

Data reveals both a lack of skepticism and a willingness to engage with emails crafted to seem like government communications.

Consumers' and small-business owners' expectations and attitudes toward government communications could make them more susceptible to coronavirus-related cybercrime, new data shows. An overall lack of skepticism combined with a willingness to engage may increase their risk.

It's no secret fraudsters are shifting their strategies to exploit fears related to COVID-19. Since the World Health Organization (WHO) declared a pandemic on March 11, IBM X-Force has seen an increase of more than 6,000% in COVID-19-related spam. Phishing lures aim to manipulate people with impersonations of the Small Business Administration, WHO, and US banks offering relief funds. The FBI's IC3 has also published an advisory warning people of a rise in online extortion scams.

To learn the effectiveness of these scams, IBM Security and Morning Consult polled 2,333 small-business owners and members of the general population in early April. Their "2020 Consumer & Small Business COVID-19 Awareness Study" revealed many people lack an understanding of the ways government officials communicate with the public, as well as resources available to them.

Despite years of warnings from the IRS, law enforcement, and the security community stating the IRS will never email individuals about tax filings, 35% of respondents said this is how they expect to receive IRS communications. One-third expect the same for WHO communications. Overall, 46% expect official information related to COVID-19 to arrive via email. More than half (57%) of small-business owners also expect official virus-related information to arrive via email. 

"The one big takeaway from this survey for me is the lack of skepticism and willingness of consumers and small-business owners to engage with emails and the misunderstanding of how they would receive communications," says IBM X-Force threat researcher Ashkan Vila.

The threats are similar for small businesses and consumers alike, Vila explains. Attackers are after credentials and sensitive data, and coronavirus fears make it easy for them to persuade victims with urgency and promises of money. They no longer need to be creative to succeed.

"Before the COVID-19 pandemic, we were seeing spam campaigns that didn't have much of a theme or focus and trying to lure as many people as possible," Vila says. "Now the pandemic has opened up a larger opportunity for cybercriminals to capitalize on people's fears and uncertainty and their desire for information on COVID-19 as things are rapidly changing."

Stimulus checks, which have recently begun to roll out to Americans, are a powerful lure. More than half (52%) of IBM Security's respondents said they would click on links or open attachments related to their stimulus check eligibility. The number is higher among the millions of people now unemployed: Nearly two-thirds (64%) of adults who recently lost their jobs would be most likely to engage with an email related to stimulus relief. IBM X-Force has identified several spam campaigns offering financial relief through stimulus payments, as well as notifications of money transfers.

Emails often include realistic logos and spoofed websites. One mimics an American Express email and offers $2,400 in stimulus relief but requires authentication to claim it. Another spoofs Wells Fargo and offers victims a payment from another customer if they verify their accounts.

The rise in coronavirus-related fraud is worrisome, as data indicates people are likely to fall for it. Nearly two-thirds (65%) of individuals said they feel "very" or "somewhat" comfortable sharing personal information with healthcare services; 64% said the same for banking and insurance firms. Nearly 60% said they feel comfortable sharing data with federal government agencies. These numbers were about the same for small-business owners, IBM researchers report.

Some spam campaigns impersonate the SBA and promise government relief funds to small businesses, nearly 40% of which believe they have been targeted with COVID-19 spam emails. Uncertainty surrounding the availability of small-business loans creates new opportunities for attackers. More than 40% of SMBs said they are unfamiliar with the government's small-business loan program, and more than 60% said they would engage with an email about stimulus relief. For both groups, COVID-19 testing was the next most popular lure they were likely to interact with.

As more people rely on their smartphones for email, it raises the likelihood they'll fall for these attacks, Vila points out. It's tougher to detect spam on your phone because it takes more steps to view email address details, and you can't hover over links to see where they lead.

"The pandemic has filled people with fear and uncertainty on the situation, also making people more susceptible to fall for these threats," he says.

Not the Only Ones At Risk
Consumers and small businesses aren't the only populations seeing an uptick in COVID-19-related cybercrime. Google's Threat Analysis Group (TAG) has identified more than a dozen government-backed attack groups using COVID-19 as bait in phishing and malware campaigns.

One campaign targeted personal accounts of US government employees, using American fast-food franchises as phishing lures. Some promised free meals and coupons in response to the pandemic, while others prompted victims to access websites disguised as online ordering platforms. Those who accessed the websites were asked for their Google account credentials. Most of these emails were sent to spam, Google points out, and users were warned of the threat. 

National and international health organizations, as well as the people who work there, are also prime targets. Attackers are capitalizing on these to trick people into downloading malware. Google says it is not seeing an increase in phishing attacks by these government-backed groups – in fact, March brought slightly lower attack numbers – but it is seeing a shift in strategy.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Prove Security's Worth in the Age of COVID-19."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection.
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection.
PUBLISHED: 2020-08-03
Active IQ Unified Manager for Linux versions prior to 9.6 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service enabled allowing unauthorized code execution to local users.
PUBLISHED: 2020-08-03
Active IQ Unified Manager for VMware vSphere and Windows versions prior to 9.5 are susceptible to a vulnerability which allows administrative users to cause Denial of Service (DoS).
PUBLISHED: 2020-08-03
A vulnerability in the Fanuc i Series CNC (0i-MD and 0i Mate-MD) could allow an unauthenticated, remote attacker to cause an affected CNC to become inaccessible to other devices. The vulnerability is due to improper design or implementation of the Ethernet communication modules of the CNC. An attack...