April 20, 2020
The coronavirus outbreak and the disruption, vulnerabilities, and uncertainties it causes has created a perfect storm for fraud. Since online purchasing trends are on the rise as consumers stay safe at home, fraud is seeing this opportunity to exploit consumer payment information. The impacts of consumer scams extend beyond consumers to the businesses which process their credit card information.
Unfortunately, scams and phishing attempts targeted at individual consumers can be traced to deep rings of organized fraud. These fraud rings often rely on multiple tactics to defraud. Consumer vulnerabilities have a direct connection to the financial damage businesses face. Once consumer data is exploited, through email phishing attempts among others, that information can be used to defraud businesses of goods and revenue.
Phishing scams are increasing during the crisis. Fraudsters use these scams to harvest sensitive data including personal identification information as well as credit card numbers and then sell this data for a profit on the dark web. Once that data is out there, innumerable fraud repercussions can occur.
In a recent advisory, the FBI and Department of Homeland Security (DHS) announced consumers are targeted by fraudulent attempts to use the COVID-19 crisis to exploit money. As a result, it’s critical that consumers and businesses alike remain alert to these exploitation attempts.
2 Fraud Schemes in Play as Alerted by the FBI and DHS:
The FBI advisory cites Business Email Compromise (BEC) schemes – a type of email fraud that targets large money transfers.
Their report indicates that individuals receive email that appears to be from a familiar company or person they may know. In this scenario, the scammer requests funds be sent to a new account “or otherwise alters standard payment practices,” the FBI said.
In a recent example cited by the FBI, a financial institution received an email purportedly from a CEO who had scheduled a transfer of $1 million. The scammer requested that the transfer date be moved up and the account receiving the funds be changed “due to the Coronavirus outbreak and quarantine processes and precautions,” the FBI said, quoting the fraudulent email.
A devious trick in this scam involves an email address that looks the same as the legitimate email. In the case cited by the FBI, the email address “was almost identical to the CEO’s actual email address with only one letter changed.” Unfortunately, those responsible for the funds can make mistakes by not recognizing the fraud earlier.
Criminals use methods such as the “Fraudulent Third-Party,” where hackers will impersonate people within an organization or suppliers and vendors associated with the company. And “Secure IT Support” where bad actors will pretend to be a company’s IT support and send malicious links to employees.
The DHS Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) issued a similar warning.
Both CISA and NCSC said they are seeing growing use of COVID-19-related themes by malicious cyber actors targeting individuals, small and medium enterprises, and large organizations.
The FBI pointed to an increase in fraud aimed at municipalities purchasing personal protective equipment “or other supplies needed in the fight against COVID-19.”
In addition, the report cited finding phishing email with subject lines including “2020 Coronavirus Updates,” “Coronavirus Updates,” “2019-nCov: New confirmed cases in your City,” and “2019-nCov: Coronavirus outbreak in your city (Emergency).”
The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) issued a similar warning this week.
You can avoid these scams by looking for red flags, including requests to click on a link, spelling and grammatical errors, and unfamiliar email addresses when you hover over the link with your cursor.
The FBI and CISA also say be wary of an urgent and/or immediate request for funds, last-minute changes in wire instructions or recipient account information, and messages that appeal to emotions.
Digital Credit Card Skimming
Digital credit card skimming occurs when malware is injected into a shopping payment page with the goal of stealing credit card information. This is different from older methods where criminals use physical card skimmers hidden within ATM credit card readers.
A recent event impacted the Tupperware site. It was compromised when a malicious code was hidden in an image file that activated a fraudulent payment form during the checkout process. Unfortunately, consumers typically have no indication that a site asking consumers to enter credit card details is unsafe. Criminals then have easy access to all of the credit card information they need. Note that Tupperware responded to the threat.
There are things consumers can do to minimize the risk and practice safe online shopping. For example, avoid entering personal payment information into too many different sites. Instead, try to stick to one or two major portals that already have that data stored in your account profile. In addition, use antivirus software that offers web protection. And, always check bank and credit card statements on a regular basis to identify potential irregular activity.
Merchants are expanding their digital sales capabilities and as a result, they are monitoring fraud across the entire customer journey. If fraud can be prevented at the root – at consumer protection – then there is less fuel to feed fraud. Businesses and consumers alike share responsibility for protecting essential personal identification data. Vigilance that encompasses email risk awareness to checkout protections can help close the vulnerabilities that fraud seeks to exploit.