Cybercriminals are expanding their efforts to take advantage of business owners and the general public during the COVID-19 pandemic. As of April, 21st the FBI’s Internet Crime Complaint Center (IC3) has received and reviewed more than 3,600 complaints related to COVID-19 scams, and the U.S. Department of Justice is continuing to warn the public to be cautious of digital scams.

Hicham Oudghiri is the co-founder and CEO of Enigma, which is a business-focused data analytics and fraud detection company. He has said, “We’re talking $10 billion to $20 billion of fraud from this SBA program.”

Oudghiri also stated that this number will likely climb as interest in the Paycheck Protection Program (PPP) loans, which are 100% guaranteed by the Small Business Administration (SBA), is expected to soar.

The attackers are using a myriad of tricks to create a wide variety of scams, including look-alike government websites that advertise expedited processing of stimulus package loans, fake vaccines and cures, fraudulent charity drives, and other types of email phishing scams. Some of the illicit websites utilized domain names that contained words such as “COVID-19,” or “coronavirus” to attract visitors. The email phishing campaigns take advantage of the rising concerns over a possible funding shortfall of the Paycheck Protection Program (PPP).

The following is a sampling of the scams reported:

  • A fake website, “SBAloanprogram.com” that used “.com” instead of “.gov” that offered to process PPP loans. The company claimed to represent the SBA and the business owner’s bank and urged the owners to apply for a PPP as soon as possible.
  • An illicit website that offered to expedite the processing of PPP applications for a small fee. PPP loans are approved on a first-come, first-serve basis only
  • A phony website that solicited and collected donations for the American Red Cross for COVID-19 relief efforts.
  • A fraudulent website “coronavirusmedicalkit.com” that claimed to offer World Health Organization (WHO) vaccine kits in exchange for a small shipping charge.
  • Fraudulent websites that spoofed government programs and organizations to trick visitors into providing personally identifiable information (PII) and financial data.
  • Compromised websites of legitimate companies used to facilitate the distribution of malware.
  • Phishing scams using email, text (“SMishing”), social media, and phone calls (“Vishing”) to steal people’s identities to apply for stimulus payments in their names.
  • Email phishing scams targeted at small business owners telling them that they must pay a fee to apply for a PPP loan. There is no application fee to apply for these loans.
  • An email scam that targeted PPP loan recipients. The email appeared to have been sent from the SBA and included the SBA logo. The loan recipient was asked to download, sign, and return SBA documentation. The SBA will not contact borrowers directly to sign or submit any documents. The SBA works directly with the bank.

12 things you can do to prevent becoming a victim of COVID-19 scams:

Do not disclose personal data

  • Never provide personal or financial data (Social Security number, credit card information, banking information, driver’s license number, or personal health information) in response to an unsolicited phone call, email, text message.
  • Exercise caution when handling phone calls, emails, and text messages offering to provide you with information regarding the status of your stimulus payments in exchange for your personal information to verify your identity. Contact your local SBA district office for information on the status of your loan.
  • Be extremely cautious of any request stresses urgency or pressures you to respond immediately to resolve a severe problem about your loan.

Do not pay any fees

  • Ignore anyone offering to expedite or facilitate your loan for a fee. Under the CARES Act, business owners do not have to pay any application fees, package fees, and closing fees.
  • Ignore unsolicited emails offering discounted or expedited processing of Personal Protective Equipment (PPE) orders for an up-front processing fee.

Validate the source

  • Use caution with handling any email that includes COVID-19 in the subject line, attachment, or hyperlink. Remember, a fundamental component of phishing is to make you believe you are being directed one place when instead you are taken somewhere else entirely. One way to determine the validity of a hyperlink or email address is to hover your mouse pointer over the email address or the link.
  • Scammers are adding “CDC” or “government” to their name and are including reputable looking logos on their websites, emails, and printed materials. Some are also impersonating government websites. For example, they are using “cdc.com” or “cdc.org” instead of “cdc.gov.” Legitimate government entities will have websites and emails that end with .gov such as www.sba.gov and home.treasury.gov/.
  • If you receive an email or text message that appears to have come from the SBA, do not click on any links or open any attachments. Instead, contact your bank. The SBA will never proactively contact you regarding a loan.
  • Thoroughly research all business, charity, or individuals requesting fees or donations. Do not send donations in cash, by wire transfer, or gift card.

Software dos and don’ts

  • Install and update anti-malware software on all desktops, laptops, tablets, and mobile phones. According to an article by DataProt, a website focused on providing cybersecurity information, about 20% of laptops and 50% of mobile devices in the US are not protected.
  • Keep your software updated with the latest updates and security patches. Some attackers take advantage of software vulnerabilities when they are announced (zero-day exploits). Update your applications as new versions and security patches become available.
  • Be cautious of unsolicited emails promoting free trials of VPN software, web conferencing, and online collaboration tools. These products may contain malware, unwanted and potentially dangerous viruses, spyware, and other unwanted software.

The COVID-19 pandemic has provided cybercriminals with new opportunities to use phishing and other social engineering techniques to trick you into giving information to someone you believe is a trusted source.

If you think you are a victim of fraud or attempted fraud involving COVID-19, call the National Center for Disaster Fraud Hotline at 1-866-720-5721. Contact the FBI’s Internet Crime Complaint Center to report online fraud activity.

For more some information, please visit cybersecurity.pamten.com or email John Mendes at john.mendes@pamten.com