COVID-19 Scams Total over $13M in Loss

COVID-19 Scams Total over $13M in Loss

by | Apr 15, 2020 | Coronavirus, social engineering

Since the beginning of the COVID-19 pandemic, we’ve seen a lot scammers using the pandemic to their advantage. From attacks on the health care industry, to phishing campaigns impersonating the CARES Act small business loan program, online scammers are out in full force to exploit of our fear and confusion. So it’s not surprising to see the Federal Trade Commission confirm that COVID-19 scams are on the rise.

But what is surprising is that those scams have already resulted in $13.44 million in fraud loss since January. This morning the FTC released updated data relating to COVID-19 scams reported to their agency. Here are a few key points from the new data:

  • Since January, there are been over 18,000 reports made to the FTC about COVID-19 related scams.
  • 46% of scams reported resulted in the victim losing money.
  • The most common form of fraud involve scammers impersonating travel and vacation companies such as airlines and hotels. Online shopping companies are also a large source of fraud. Many report that fake businesses are selling high-demand cleaning and medical products that simply never arrive after you pay for them.
  • A lot of scammers are also pretending to be the government. In many cases, this involves asking the victim to report personal and financial information to receive their stimulus check.
  • Robocalls are back on the rise. Last year, we finally started to see a decline in the number of robocalls. However, those numbers are starting to rise again as scammers use the COVID-19 crisis to commit fraud or illegally gain personal information.

What You Should do

While we are certainly going through an unprecedented and confusing time, it’s important that you stay alert online for COVID-19 scams. If a person or businesses calls, texts, or emails you asking for money or personal details, make sure you know exactly who you are talking to. Here are a few tips to stay safe online:

  • If you ever receive a random call claiming to be from the government asking for payment, hang up. The government will never call out of the blue to ask for financial or other personal information.
  • When doing online shopping, google reviews of the company first to see if people are getting their products.
  • If you get an email from a known company or friend asking or money, look carefully at the email address and URL in the email to make sure they are legitimate.
  • If you aren’t sure if something is a scam or not, try googling it or even looking on Twitter. In many cases, scammers will send the same message out to a lot of people, so you may find some helpful stranger warning you not to fall for it.

Above all else, it’s important to practice good digital awareness everywhere online. Be skeptical of what you are seeing and reading. Follow up. Look for others online who can confirm what you’re seeing is real. Scammers rely on us making split decisions, so just taking an extra minute to confirm something is real could end up saving you money.

How asking for little can mean a lot — integrating privacy into strategy

How asking for little can mean a lot — integrating privacy into strategy

by | Apr 10, 2020 | Privacy

There’s been a lot of talk about privacy lately, whether it’s about how social media is tracking and selling your every move online, or video-conferencing privacy breaches, or regulations such as GDPR or CCPA.  And now, with COVID-19, there are numerous conversations about the balance between effective mitigation through contract tracing and privacy rights (eg: is it ok for the government to know my health status and track me if I’m positive?).

For Companies — Privacy Builds Trust and Trust Builds Value.

Conversations about privacy are healthy and important.  And as a business, those conversations should be starting early in your strategic planning.  If you do it right, you can build brand value.  If you do wrong, or only do it when pressed by your clients or the press, you have an uphill battle. Just ask Zoom.

Privacy by Design creates the framework for building a brand based on respect

The best thing, therefore, is to get ahead of the curve, and institute a concept called Privacy by Design into your systems and operations planning. Privacy by Design is a set of foundational principles originally developed by the former Privacy Commissioner of Ontario, Ann Cavoukian, and has subsequently been incorporated into the E.U’.s privacy regulations, GDPR.

Privacy as the Default is key

A full review of the Privacy by Design principles are beyond the scope of this blog; they can be reviewed here. One of the principles I would like to review is the concept of Privacy as the Default.  As the name implies, this principle states that all aspects of the system and operational workflows assume privacy first.  For every piece of personal or sensitive information, we first ask why we need it in the first place.  Is it actually crucial to the client’s use of our product or our ability to serve the client?

If we decide we need the data, we should then seek to limit how much and for how long we need to keep the data.  And we should be transparent with our clients as to why and how their data will be used and disposed of and to whom and under what conditions it may be shared.

Differentiation in a digital age is harder than ever.  Fortunately, you can demonstrate that you respect your clients and improve your brand value by being proactive with regards to privacy.

Zoom is leaning in to privacy and security

Zoom is leaning in to privacy and security

by | Apr 8, 2020 | Coronavirus, Privacy

Much has been written about the security and privacy issues with the Zoom videoconferencing application.  What may be written more about over the next few months (and in numerous case studies) is how Zoom is responding to those issues.

To begin, the CEO, Eric Yuan, has apologized for Zoom’s prior lack of focus on privacy.  Next, his team has stopped all development projects to focus exclusively on security and privacy issues.  In addition, he has hired Alex Stamos to be Zoom’s privacy and security advisor as well as has recruited top Chief Security Officers from around the world to serve on an advisory board.

With a user base which has more than doubled since the beginning of the year, Zoom has benefited greatly from the WFH global environment.  It is incredible that it has been able to sustain its operability during this growth.  But it’s perhaps more impressive that the company, and its CEO in particular, is focusing seriously and aggressively on privacy.  This is particularly notable in an era that is unfortunately also fraught with profiteering, scamming and passing the buck.

It hopefully is a wake up call for any company to take it’s privacy issues seriously and to recognize that by doing so, you are not only securing public trust, you are creating brand value.

In 1982, Tylenol responded to its own crisis, when some of its products were tampered leading to poisoning, by pulling every bottle off the shelves and owning the issue.  Since then, their response has been a PR crisis case study.

I think Zoom is on its way to becoming a case study as well.

Don’t Keep the Light On

by | Apr 3, 2020 | Cybersecurity

A while back a motel chain used the catch-phrase “We’ll keep the lights on for you.”  Unfortunately, many businesses do the same things when it comes to keeping the access to their systems available via what are called open ports.  Too many “lights” expand the number of ways a hacker can get into your system.  Even a light which should be on can be exposing a vulnerability.

Ports are the channels through which internet communications travel.  Each IP address has up to 65,535 ports.  And ports open up to a service (which runs a routine such as web browsers or file sharing or remote access). Obviously, we use the internet to communicate, so you need to have open ports.  The problem is when you either have ports which are open for everyone when they should be restricted only to those who need them or when the services themselves are not kept up to date or are improperly configured.

During this time of crisis, bad guys are ramping up to find vulnerabilities because they feel everyone is distracted.  Take the time to double check (or have your team double check) your ports, patch your systems and services as needed.  Run a vulnerability scan and address any findings it discovers.

Sometimes, improving your cybersecurity can be as easy as flicking a switch.

CARES Act Phishing Scams Target Small Business

by | Apr 2, 2020 | Coronavirus, Human Factor, Phishing

Online scammers continue to use the COVID-19 crisis to their advantage. We have already seen phishing campaigns against the healthcare industry. The newest target? Small businesses. This week, the Small Business Administration Office of the Inspector General (SBA OIG) sent out a letter warning of an increase of phishing scams related to the new CARES Act targeting business owners.

CARES Act Loan Scams

The uptick in phishing scams imitating the SBA is primarily linked to the recent stimulus bill the government passed in response to the ongoing COVID-19 crisis. The bill, called the CARES Act, includes $350 billion in loans for small businesses. Given the current crisis, many businesses are eager to apply for loans, opening the door to new forms of phishing scams.

In addition, the scale and unprecedented nature of the loan program allows phishers to capitalize on the confusion surrounding the loan services. Last year, the SBA gave out a total of $28 billion, but now has to create a system to provide roughly 12 times that amount over the course of a few months. In order to help with the process, congress allowed the SBA to expand their list of loan venders. While this may help speed up the process, banks with no prior experience with SBA loan programs will now be distributing funds. Speeding up the loan process will help certainly ease the pain of many small businesses, but it also opens the room for errors, errors that scammers can use for personal gain.

What to Look For

Business owners are already seeing this happen.  A small businesses owner recently applied for a loan under the CARES Act to help keep her business running. Shortly after filing her application, her husband received an email stating they would need to fill out and return a tax statement to complete their application.

The email included the SBA logo and looked legitimate. However, on closer inspection, she realized the account number listed in the email did not match the one she received when applying for the loan, and the email address was not from a SBA email account.

Breathe in, Breathe O-U-T

This business owner was savvy enough to not fall for the scam, but others are likely to be tricked into handing over sensitive information or paying money to online scammers. In order to protect people against phishing campaigns, we recommend what we call the Breathe O-U-T Process:

  1. When you first open an email, first, take a Breath. That’s enough to get started because it acts as a pattern interrupt in automatic thinking and clicking (that leads to people biting the bait).
  2. Next, Observe the sender. Do you know the sender? Does their email address match who they say they are? Have you communicated with this sender before?
  3. Then, check Urls and attachments. Hover over the links to see if the URL looks legitimate. Be wary of zip files or strange attachments. If you aren’t sure if a URL is legitimate or not, just go to google and search for the page there instead.
  4. Finally, take the Time to review the message. Is it relevant? Does it seem too urgent? Does the information match what you already know? How’s the spelling? Be wary of any email which tries too hard to create a sense of urgency. In addition, phish are notoriously known for poor spelling and grammar. While we don’t all write as well as our fourth grade teacher, be careful when you see a lot of “missteaks”.

We’re living through strange and confusing times, and there are people out there who will use that to their advantage. Just taking a few extra minutes to make sure an email is legitimate could help save you a lot of extra time, worry, and money — none of which we can spare these days.

If you want to learn more about phishing scams and how to protect yourself, we are now offering the first month of our cyber awareness course entirely free. Just click here to sign up and get started.