Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.
CISA Recommended Precautions
CISA encourages individuals to remain vigilant and take the following precautions:
- Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information.
- Use trusted sources—such as legitimate, government websites —for up-to-date, fact-based information about COVID-19.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
- Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.
- Review CISA Insights on Risk Management for COVID-19 for more information.
Scam COVID-19 contact text messages
Police are warning of a new texting scam designed to scare you into thinking you’ve come in contact with someone diagnosed with COVID-19. The message reads, “Someone who came in contact with you tested positive or has shown symptoms for COVID-19 & recommends you self-isolate/get tested.” There is a link attached for users to click on for more information – DO NOT click the link! This is not a message from any official agency, but it is a gateway for bad actors to use for their phishing scam to get personal information from you.
COVID-19 Stimulus Scams
The US Congress recently passed a large COVID-19 relief and stimulus package. As with other aspects of the COVID-19 pandemic, fraudsters are exploiting the relief and stimulus to victimize the public. The US Secret Service is observing a rise in stimulus relief fraud over the past several days and expect the fraud attempts to continue throughout the pandemic. Criminal actors are using a variety of means to contact potential victims. In one instance, the criminal actors are using spoofed email addresses posing as US Treasury officials requesting that the victim provide personal identifying information (PII), so that they can receive their share of the stimulus. (US Treasury)
Scams Related to Economic Stimulus Packages Offered through CARES Act
The Small Business Association has provided information on recent fraud schemes involving the different economic stimulus packages offered through the CARES act. The SBA has recently posted on SBA.GOV descriptions for the types of schemes used. Please pay particular attention to potential phishing emails notifying that an application was approved, etc.
Grant Related Scams
SBA does not initiate contact on either 7a or Disaster loans or grants. If you are proactively contacted by someone claiming to be from the SBA, suspect fraud.
Loan Related Scams
If you are contacted by someone promising to get approval of an SBA loan but requires any payment up front or offers a high interest bridge loan in the interim, suspect fraud.
SBA limits the fees a broker can charge a borrower to 3% for loans $50,000 or less and 2% for loans $50,000 to $1,000,000 with an additional ¼% on amounts over $1,000,000. Any attempt to charge more than these fees is inappropriate.
If you have a question about getting a SBA disaster loan, call 800-659-2955 or send an email to firstname.lastname@example.org.
If you have questions about other SBA lending products, call SBA’s Answer Desk at 800-827-5722 or send an email to email@example.com.
Phishing Related Schemes
If you are in the process of applying for an SBA loan and receive email correspondence asking for PII, ensure that the referenced application number is consistent with the actual application number.
Look out for phishing attacks/scams utilizing the SBA logo. These may be attempts to obtain your personally identifiable information (PII), to obtain personal banking access, or to install ransomware/malware on your computer.
Any email communication from SBA will come from accounts ending with sba.gov.
The presence of an SBA logo on a webpage does not guaranty the information is accurate or endorsed by SBA. Please cross-reference any information you receive with information available at www.sba.gov.
If you or a customer are in doubt, please report the activity to the Office of the Inspector General’s (OIG) at 800-767-0385 or this URL: https://www.sba.gov/about-sba/oversight-advocacy/office-inspector-general/office-inspector-general-hotline
Scammers Pretending to be the FDIC
The Federal Deposit Insurance Corporation (FDIC) has received reports of fraudulent communications that have the appearance of being from this agency. Fraudsters know that people trust the FDIC name, so scammers use the FDIC’s name and logo, and even the names of actual employees, in perpetrating fraudulent schemes. Be aware of this scam facing the FDIC – The FDIC does NOT send unsolicited email or postal mail asking for money or sensitive personal information, and will never threaten you. Read the full FDIC Consumer News article here: https://www.fdic.gov/consumers/consumer/news/march2020.html
FDIC COVID-19 Resource Website
The US Federal Deposit Insurance Corporation (FDIC) has created a resource website for institutions “to consider all reasonable and prudent steps to assist customers in communities affected by the Coronavirus (COVID-19).” The website provides information for banks and customers alike including “Frequently Asked Questions for those Impacted by COVID-19,” information for use by financial institutions and customers,” and more. https://www.fdic.gov/coronavirus/index.html
IRS Scams Surrounding Economic Impact Payment
We urge people to take extra care during this period. The IRS isn’t going to call you asking to verify or provide your financial information so you can get an economic impact payment or your refund faster.
That also applies to surprise emails that appear to be coming from the IRS. Remember, don’t open them or click on attachments or links. Go to IRS.gov for the most up-to-date information.
Taxpayers should watch not only for emails but text messages, websites and social media attempts that request money or personal information.
The IRS reminds retirees – including recipients of Forms SSA-1099 and RRB-1099 − that no one from the agency will be reaching out to them by phone, email, mail or in person asking for any kind of information to complete their economic impact payment, also sometimes referred to as rebates or stimulus payments. The IRS is sending these $1,200 payments automatically to retirees – no additional action or information is needed on their part to receive this.IRS Commissioner Chuck Rettig
BayCoast reminds you that the IRS does not contact individuals via phone, email or text. They use the old fashioned United States Post Office.
New Funding for Coronavirus SBA Loans Attracts Scammers
If you are a customer, you may have applied for a SBA’s Paycheck Protection Program (PPP) or Economic Injury Disaster Loans (EIDL) loan. As a result of recent hundreds of billions of dollars in new funding scammers are attempting to trick you into giving sensitive business information, like bank account numbers, employees’ Social Security numbers, and the like.
Here are some reminders regarding this program of what not to do:
- DO NOT pay in advance for information. All the information from the SBA is free at
- DO NOT pay in advance for a government loan. Customers do not have to pay upfront to get an SBA loan.
- DO NOT provide personally identifiable information to someone who calls, emails, or texts them out of the blue. The SBA will not call unsolicited to find out information you or your business, or to ask them to apply for a loan. The SBA is not going to send emails or text messages asking for sensitive information. Please delete such messages as it is a scam.
- DO NOT apply for a loan without verifying the lender – such as BayCoast Bank. Only SBA-authorized lenders can provide PPP loans, and other loans may be available through SBA directly.
- DO NOT Click on links or reply to emails or text messages from someone they do not know. Clicking a link could allow a download of malware to their computer or device and be vulnerable to the scammer or hacker.
Massive Fraud Against State Unemployment Insurance Programs
The United States Secret Service has received reporting of a well-organized Nigerian fraud ring exploiting the COVID-19 crisis to commit large-scale fraud against state unemployment insurance programs. The primary state targeted so far is Washington, while there is also evidence of attacks in North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming, and Florida. It is extremely likely every state is vulnerable to this scheme and will be targeted if they have not been already.
In the state of Washington, individuals residing out-of-state are receiving multiple ACH deposits from the State of Washington Unemployment Benefit Program, all in different individuals’ names with no connection to the account holder. A substantial amount of the fraudulent benefits submitted have used personal identifying information (PII) from first responders, government personnel, and school employees. It is assumed the fraud ring behind this possesses a substantial PII database to submit the volume of applications observed thus far.
This fraud network is believed to consist of hundreds, if not thousands, of mules with potential losses in the hundreds of millions of dollars. The banks targeted have been at all levels including local banks, credit unions, and large national banks.
Please communicate the information regarding this fraud to the appropriate office at your local state level and liaison with local financial institutions to identify mules and potential seizures. If you have reports of similar activity or do so in the future, please send to the following email for coordination: firstname.lastname@example.org.
Fraudsters Filing for Unemployment with Stolen Identities
There are recent instances where fraudsters have filed unemployment benefits using stolen identities. If you are a victim of such activity we would like to share some steps to take to protect yourself and also raise awareness:
- Get organized. As you go through this process, keep a file folder or journal with information from the incident and your reports, including any case numbers. Hang onto any notes, copies of emails and other documentation. If you face any identity issues or find inaccuracies on your credit history sometime in the future, you’ll need to reference this paper trail.
- Contact your employer’s human resources department to document the incident.
- Contact the State Employment Security Department (ESD), such as Massachusetts:
or Rhode Island: http://www.dlt.ri.gov
You will likely need the following information handy so they can verify your identity:
- The last four digits of your social security number.
- Your date of birth.
- Your current phone number.
- Information on how you learned a claim was filed on your behalf.
- File an online or nonemergency police report with the law enforcement agency whose jurisdiction you live in.: “Some government services and accommodations are available to victims of identity theft that are not available to the general public, such as getting certain public records sealed.”
- Contact the three major credit bureaus: Experian (1-888-397-3742), TransUnion (1-800-680-7289) and Equifax (1-888-766-0008).
- Get free credit reports by visiting annualcreditreport.com or calling 1-877-322-8228. Check your credit activity at least once a year. As a victim of identity theft, you have the right to check it monthly if you choose.
- Tell the credit bureaus a fraudulent unemployment claim was made using your identity. Give them the case number from your police report.
COVID-19 Phishing Campaigns
Threat actors continue to leverage the current COVID-19 threat by using phishing emails (and websites) that promise vital information about protecting your health from the coronavirus. These emails push malware like Agent Tesla, Emotet, Guloader, ransomware CovidLock, and disinformation, to steal passwords and personal information, and conduct espionage operations by hackers working for nation-states. CovidLock is targeting Android devices and charges around $100 in bitcoins to unlock infected devices.
While your employees can be targeted, your customers – especially the elderly—are most susceptible to responding to these attacks.
Institutions should provide security awareness warnings to protect employees and customers from attack. Best practices in preventing them from being a victim include:
- The best source for information about COVID-19 is the Center of Disease and Control (CDC). www.cdc.gov
- Treat emails and websites that purport to provide information or goods related to the ongoing pandemic as dangerous.
- Confirm information with trusted sources like the CDC, World Health Organization and government websites.
- If an employee or customer clicks on a link, report it immediately to the appropriate department or institution.
COVID-19 Scams Abound
Recently the Department of Justice (DOJ) acted against an online fraud website relating to the coronavirus pandemic. The website, “coronavirusmedicalkit.com,” was purporting to give away free vaccine kits manufactured by the World Health Organization (WHO), according to DOJ court documents. Website operators were engaging in a wire fraud scheme. They first asked buyers to input their payment card information on the website to pay a shipping charge of $4.95. Then, they would steal that credit card and personal information to carry out fraudulent purchases and identity theft. The DOJ is continuing to investigate the website.
The State of Security website reported six scams during the week of 16 March alone. Scams involving collected credit card numbers and unleashed the Hawkeye infostealer and extortion emails threatening to release “dirty secrets.” On 20 March, the FBI reports seeing an increase of fraud schemes also attributed to COVID-19. The scams include fake CDC and phishing emails, and counterfeit treatments or equipment.
Exploiting the Coronavirus
Netflix is More Popular than Ever – Especially with Cybercriminals
Long before the COVID-19 pandemic, bad guys were spoofing Netflix emails in an attempt to collect your sensitive information. With more and more people looking for at-home entertainment, Netflix has gained over 15 million new subscribers. Cybercriminals are happily taking advantage of this larger audience!
Netflix themed phishing attacks can vary from phony email alerts accusing you of non-payment to offering you free streaming access during the pandemic. Both of these strategies include a link that takes you to a fake Netflix page designed to gather your information and deliver it to the bad guys.
Use the following tips to stay safe:
- These types of scams aren’t limited to Netflix. Other streaming services like Disney+ and Spotify are also being spoofed. Remember that if something seems too good to be true, it probably is.
- Never click on a link that you weren’t expecting. Even if it appears to be from a company or service you recognize.
When an email asks you to log in to an account or online service, log in to your account through your browser – not by clicking the link in the email. This way, you can ensure you’re logging into the real website and not a phony look-alike.