Illustration: Eniola Odetunde/Axios
Criminals are getting busy — and creative — with an onslaught of new frauds preying on people's fears and anxieties about the coronavirus pandemic.
The big picture: Desperate people are finding their unemployment checks and stimulus payments stolen. They're also being bombarded with offers for fake cures, fake work-at-home offers and messages asking for personal financial information.
In perhaps the most widespread scam, criminals are filing fake unemployment claims on behalf of real people who haven't lost their jobs, hitting one state after another.
- The rush to get relief money in people's hands has introduced new vulnerabilities to unemployment systems — state agencies and corporate human-resources departments alike are quick to approve claims without requiring much proof.
- A Nigerian crime ring called "Scattered Canary" may be responsible for a lot of this fraud, which is made more attractive by the extra $600 a week in unemployment benefits Congress enacted.
- Washington state — an early locus of coronavirus in the U.S. — seems to have been hit hardest, with hundreds of millions of dollars in benefits siphoned off, per the Seattle Times.
Where it stands: The Federal Trade Commission says consumers have reported about $50 million in losses to the agency.
- TransUnion, the credit bureau, runs a weekly survey that shows that 29% of consumers say they've been targets of digital fraud related to COVID-19.
"Some of the really pernicious stuff that we were seeing were about people ordering P.P.E.-type materials — face masks, hand sanitizer — and then it never arrives," Monica Vaca of the FTC tells Axios.
"Fraud is big business, and it runs just like every other corporation out there," Will LaSala of OneSpan, which sells antifraud software, tells Axios.
- Misinformation about COVID-19 — plus runs on items like soap and toilet paper — prompted a lot of people to try to buy things on merchant websites that turned out to be fake, or to click on phishing offers.
- Fraudsters dangled lures like "check your $1,200 stimulus pay status" to get people to divulge information via email, phone and text.
- Other scams include fake charity websites, false offers of Small Business Administration loans; sham work-at-home schemes that get people to pay money up front, and calls from a local area code that purport to be from a person's doctor.
Official-looking notices claiming to be from the government might say you've been overpaid in stimulus or unemployment benefits and need to return the money immediately.
- "A lot of times, they’ll say you have to do it right now or you’ll be arrested — and, oh, by the way, put it on an Apple gift card," Paul Stephens of the Privacy Rights Clearinghouse tells Axios.
Then there are W-2 scams, in which a hacker spoofs the email address of a CEO and asks the H.R. department for a list of employees' tax information.
- "When we were working from offices, there were firewalls in place that really blocked a lot of this, but now that we’re working from home, we don’t have those safeguards in place," LaSala says. "That really led to a lot of these attacks."
Who's scammin' whom: While the elderly are frequent victims, more unexpected are millennials (who are at the prime age to be home, online, idle and jittery) and college students, who are nervous about their academic future and tuition status.
- "They pretend that they’re from the school's financial department and they’re giving you choices," Paige Hanson, chief of cyber safety education at NortonLifeLock, tells Axios. "They'll say, 'click on this link to verify your personal information.' It will go to a fake landing page" where criminals collect the information they need to take advantage of the student.
Even if only a tiny percentage of these fraud attempts works, "the payoff is significant," Crane Hassold, senior director of cyber intelligence at the email security firm Agari, tells Axios.
- "Some of these attackers are working 40 hours a week. These attacks are becoming more sophisticated, more realistic."
Experts offered some advice to try to protect yourself:
- "Be suspicious of any unsolicited phone call email or text message you might receive from anyone, unless you initiated the contact with that person," Stephens said. If in doubt, call back to a number you know is legit.
- Talk to someone before taking action. "Tell a friend, tell your sibling or somebody," Hanson said. "Even though you're in that moment and you want to react, they might know about this scam."