Main Image Credit Courtesy of Adobe Stock
As the UK remains in its lockdown phase, the demand for electronic devices to work and engage in social contact is booming. This widens the target population for fraudsters in a substantial way, allowing them to adjust scams which play on people’s deepest fears.
Action Fraud is the UK’s national reporting centre for fraud and cybercrime. As of 20 March, their figures show that coronavirus-related fraud reports have increased fourfold in March compared to February, and that there have been 105 reports of incidents to Action Fraud since the start of February, with losses totalling nearly £1 million. 46 of those reports came between 1–13 March and 38 of them came between 14–18 March. As fraud is a highly underreported crime, these figures probably do not reflect the true scale of the problem.
The National Cyber Security Centre has said that as the coronavirus outbreak intensifies, ‘it is highly likely that the volume of attacks will rise’. It is imperative, therefore, that there is a clear understanding of the most common scams as we approach the peak of the current crisis.
Non-Existent or Faulty Products
One prominent category of coronavirus-related scams concerns the offer of non-existent or faulty products. Action Fraud have said that the majority of reports they have received are related to online shopping scams where people have ordered protective gear that hasn’t arrived. As demand continues to outstrip local supply in goods like masks, gloves and hand sanitiser, people are increasingly turning to the online marketplace to fulfil their needs. Images of empty supermarket shelves and long queues are further accentuating the feeling that survival will require buying from unconventional sources, and in large quantities.
This is fertile ground for scammers who – as reported by the Better Business Bureau’s Scam Tracker – deploy tricks like ‘limited time deals’ which lure people into ordering in bulk goods which are often never delivered. This problem is exacerbated when it comes to goods like coronavirus testing kits which people cannot ‘pay for’ in the usual sense (all testing is done through the NHS). As pressure continues building on governments to increase the rate of daily testing – the UK government has spoken of its desire to hit 25,000 tests a day within four weeks and eventually 250,000 – so will the scope for bogus testing kits sold online. US Customs and Border Protection officers at Los Angeles International Airport have already intercepted a package containing suspected counterfeit coronavirus testing kits arriving from the UK.
But the Americans have their own, home-grown problem of a similar nature. The US Federal Trade Commission (FTC) and Food and Drugs Administration have also issued warning letters to seven companies over scientifically unsupported claims that their products can treat or prevent coronavirus, stating that ‘the sale and promotion of fraudulent coronavirus products [are] a threat to public health’. Interestingly, by 19 March, the FTC said that all seven of those companies had made changes to their advertising to remove unsupported claims, but new scams continue to appear. This encapsulates both the value of having a proactive regulatory infrastructure, and the reality that policing the internet for every type of scam will be impossible.
Preventative measures mostly rely on vigilance at the individual level. This is particularly the case with phishing scams, of which Action Fraud say they have received over 200 coronavirus-themed reports. These consist of emails and text messages which purport to be from reputable organisations like the World Health Organisation or the Centers for Disease Control. Encouraged to access supposedly vital information such as ‘a list of active infections in your area’, the victim needs only to click on a link through which their information can subsequently be stolen, or donate support via a Bitcoin payment to risk the same outcome.
In the UK, one recently publicised example details a scam which directed people to a fake website bearing the HMRC (the UK’s tax agency) logo. This claimed that, as a precaution against coronavirus, the government has established a new tax refund programme for dealing with the outbreak, requiring the sharing of names, addresses, phone numbers and bank card numbers. Other sophisticated examples involve scammers using real information to infect computers with malware – for example, the Johns Hopkins University dashboard of coronavirus infections and deaths was recently displayed on malicious websites which stole sensitive user data once clicked on.
The fraudsters exploit two very explainable societal weaknesses during the current pandemic. The first is people’s desperate need for information and reassurance. In a time of deep uncertainty, emails purporting to offer area-based infection lists strike at the heart of people’s apprehensive thirst for information. The second is the popular anxiety over financial survival. As the government’s economic response to this crisis continues to develop, individuals and businesses will increasingly be flocking to government websites in search of help. The scope for fraud lurks just around the corner.
A Holistic Approach to Digital Vigilance
Stakeholders across society will have their part to play in mitigating these threats. This is necessary to ensure a more holistic approach to digital vigilance which accounts for broader internet-related risks in cyber security and online marketplaces.
The financial services sector and e-commerce companies must be active in identifying and rooting out malpractice. Amazon have said that they have already pulled over 1 million products from their site for inaccurately claiming to defend against coronavirus, and tens of thousands more for ‘price gouging’ (when a seller spikes the prices of goods or services to a level considered unreasonable and exploitative). Price tracking websites are confirming these disparities, with two-pack respirators being advertised at almost 300% higher than average Amazon selling prices.
Businesses who have set up remote working for their employees will need to make sure that they are putting measures in place which ensure good cyber hygiene. There are specific vulnerabilities around working from home compared to the office, particularly concerning avenues for cyber attacks on virtual private networks intended to allow remote file access. CheckPoint, a software company, have reported increased targeting of company executives whose possession of sensitive information is more vulnerable when working on less secure networks.
Finally, as the government prepares its rollouts of grants and loans to alleviate the financial hardship of the current crisis, they will need to make absolutely clear what channels people will have to follow to access help. There will also be plenty of opportunity in Downing Street’s daily public briefings to address the importance of digital vigilance.
As a society, we are just at the beginning of an ordeal which could last several months or more. However, fraudsters are also at the beginning of their own understanding of what makes a successful coronavirus scam, and these methods will be continuously refined and adapted according to political and scientific developments. In what are already extremely testing times, threatening unavoidable hardship on millions around the country, preventing those security risks which are avoidable is a hugely important challenge that must be met.
For more tips and guidance on digital vigilance, see:
- The Scam Directory, ‘Coronavirus Scam’, https://scam.directory/type/misc-delivery-scam/coronavirus-scam/
- FTC, ‘Online Security Tips for Working from Home’, https://www.consumer.ftc.gov/blog/2020/03/online-security-tips-working-home?utm_source=govdelivery
- Lizandra Portal, ‘Fake Coronavirus Tracking Websites Being Used to Steal Data, Scams Popping Up’, 12 News, https://cbs12.com/news/local/fake-coronavirus-tracking-website-being-used-to-steal-data-other-scams-popping-up
- National Cyber Security Centre (NCSC) guidance: https://www.ncsc.gov.uk/guidance/suspicious-email-actions, https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
The views expressed in this Commentary are the author’s, and do not represent those of RUSI or any other institution.
Organised Crime and Policing