COVID-19 Scams Total over $13M in Loss

COVID-19 Scams Total over $13M in Loss

Since the beginning of the COVID-19 pandemic, we’ve seen a lot scammers using the pandemic to their advantage. From attacks on the health care industry, to phishing campaigns impersonating the CARES Act small business loan program, online scammers are out in full force to exploit of our fear and confusion. So it’s not surprising to see the Federal Trade Commission confirm that COVID-19 scams are on the rise.

But what is surprising is that those scams have already resulted in $13.44 million in fraud loss since January. This morning the FTC released updated data relating to COVID-19 scams reported to their agency. Here are a few key points from the new data:

  • Since January, there are been over 18,000 reports made to the FTC about COVID-19 related scams.
  • 46% of scams reported resulted in the victim losing money.
  • The most common form of fraud involve scammers impersonating travel and vacation companies such as airlines and hotels. Online shopping companies are also a large source of fraud. Many report that fake businesses are selling high-demand cleaning and medical products that simply never arrive after you pay for them.
  • A lot of scammers are also pretending to be the government. In many cases, this involves asking the victim to report personal and financial information to receive their stimulus check.
  • Robocalls are back on the rise. Last year, we finally started to see a decline in the number of robocalls. However, those numbers are starting to rise again as scammers use the COVID-19 crisis to commit fraud or illegally gain personal information.

What You Should do

While we are certainly going through an unprecedented and confusing time, it’s important that you stay alert online for COVID-19 scams. If a person or businesses calls, texts, or emails you asking for money or personal details, make sure you know exactly who you are talking to. Here are a few tips to stay safe online:

  • If you ever receive a random call claiming to be from the government asking for payment, hang up. The government will never call out of the blue to ask for financial or other personal information.
  • When doing online shopping, google reviews of the company first to see if people are getting their products.
  • If you get an email from a known company or friend asking or money, look carefully at the email address and URL in the email to make sure they are legitimate.
  • If you aren’t sure if something is a scam or not, try googling it or even looking on Twitter. In many cases, scammers will send the same message out to a lot of people, so you may find some helpful stranger warning you not to fall for it.

Above all else, it’s important to practice good digital awareness everywhere online. Be skeptical of what you are seeing and reading. Follow up. Look for others online who can confirm what you’re seeing is real. Scammers rely on us making split decisions, so just taking an extra minute to confirm something is real could end up saving you money.

Zoom is leaning in to privacy and security

Zoom is leaning in to privacy and security

Much has been written about the security and privacy issues with the Zoom videoconferencing application.  What may be written more about over the next few months (and in numerous case studies) is how Zoom is responding to those issues.

To begin, the CEO, Eric Yuan, has apologized for Zoom’s prior lack of focus on privacy.  Next, his team has stopped all development projects to focus exclusively on security and privacy issues.  In addition, he has hired Alex Stamos to be Zoom’s privacy and security advisor as well as has recruited top Chief Security Officers from around the world to serve on an advisory board.

With a user base which has more than doubled since the beginning of the year, Zoom has benefited greatly from the WFH global environment.  It is incredible that it has been able to sustain its operability during this growth.  But it’s perhaps more impressive that the company, and its CEO in particular, is focusing seriously and aggressively on privacy.  This is particularly notable in an era that is unfortunately also fraught with profiteering, scamming and passing the buck.

It hopefully is a wake up call for any company to take it’s privacy issues seriously and to recognize that by doing so, you are not only securing public trust, you are creating brand value.

In 1982, Tylenol responded to its own crisis, when some of its products were tampered leading to poisoning, by pulling every bottle off the shelves and owning the issue.  Since then, their response has been a PR crisis case study.

I think Zoom is on its way to becoming a case study as well.

CARES Act Phishing Scams Target Small Business

Online scammers continue to use the COVID-19 crisis to their advantage. We have already seen phishing campaigns against the healthcare industry. The newest target? Small businesses. This week, the Small Business Administration Office of the Inspector General (SBA OIG) sent out a letter warning of an increase of phishing scams related to the new CARES Act targeting business owners.

CARES Act Loan Scams

The uptick in phishing scams imitating the SBA is primarily linked to the recent stimulus bill the government passed in response to the ongoing COVID-19 crisis. The bill, called the CARES Act, includes $350 billion in loans for small businesses. Given the current crisis, many businesses are eager to apply for loans, opening the door to new forms of phishing scams.

In addition, the scale and unprecedented nature of the loan program allows phishers to capitalize on the confusion surrounding the loan services. Last year, the SBA gave out a total of $28 billion, but now has to create a system to provide roughly 12 times that amount over the course of a few months. In order to help with the process, congress allowed the SBA to expand their list of loan venders. While this may help speed up the process, banks with no prior experience with SBA loan programs will now be distributing funds. Speeding up the loan process will help certainly ease the pain of many small businesses, but it also opens the room for errors, errors that scammers can use for personal gain.

What to Look For

Business owners are already seeing this happen.  A small businesses owner recently applied for a loan under the CARES Act to help keep her business running. Shortly after filing her application, her husband received an email stating they would need to fill out and return a tax statement to complete their application.

The email included the SBA logo and looked legitimate. However, on closer inspection, she realized the account number listed in the email did not match the one she received when applying for the loan, and the email address was not from a SBA email account.

Breathe in, Breathe O-U-T

This business owner was savvy enough to not fall for the scam, but others are likely to be tricked into handing over sensitive information or paying money to online scammers. In order to protect people against phishing campaigns, we recommend what we call the Breathe O-U-T Process:

  1. When you first open an email, first, take a Breath. That’s enough to get started because it acts as a pattern interrupt in automatic thinking and clicking (that leads to people biting the bait).
  2. Next, Observe the sender. Do you know the sender? Does their email address match who they say they are? Have you communicated with this sender before?
  3. Then, check Urls and attachments. Hover over the links to see if the URL looks legitimate. Be wary of zip files or strange attachments. If you aren’t sure if a URL is legitimate or not, just go to google and search for the page there instead.
  4. Finally, take the Time to review the message. Is it relevant? Does it seem too urgent? Does the information match what you already know? How’s the spelling? Be wary of any email which tries too hard to create a sense of urgency. In addition, phish are notoriously known for poor spelling and grammar. While we don’t all write as well as our fourth grade teacher, be careful when you see a lot of “missteaks”.

We’re living through strange and confusing times, and there are people out there who will use that to their advantage. Just taking a few extra minutes to make sure an email is legitimate could help save you a lot of extra time, worry, and money — none of which we can spare these days.

If you want to learn more about phishing scams and how to protect yourself, we are now offering the first month of our cyber awareness course entirely free. Just click here to sign up and get started.

Zoom’s Boom Raises Confidentiality Concerns

Zoom’s Boom Raises Confidentiality Concerns

With stay-at-home orders in place across the globe, online video communication services have seen a skyrocket in use. In particular, the video platform Zoom is on a tear. The company’s shares are on the rise, and mobile app is currently #1 in the Apple app store. Families and friends use it to connect, and entire school systems rely on it to continue classes online. But with the increased use comes increased scrutiny.

According to the New York Times, the New York Attorney General is now looking into Zoom’s security practices. The letter, sent from the state’s Attorney General’s office, expresses concern “that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network.”  Zoom’s privacy issues have also been noted by Consumer Reports, Forbes and Doc Searles.

Zoom for Telehealth and Legal Counsel

 Worries about Zoom’s privacy standards are of particular concern for industries that require confidentiality, such as medicine, therapy, and legal counsel.

Telehealth services have quickly become commonplace as more and more people are staying at home. The company does provide a HIPPA-compliant version of their services. However, the recent compliance waiver for telehealth allows health care providers to opt for the far cheaper but less secure version of the software. Now, many insurers are allowing health care providers to bill for telehealth visits. This has opened up the floodgates for patients to meet with doctors and therapists over Zoom.

Given the concerns over Zoom’s privacy practice, it is an open questions whether doctor patient confidentiality and attorney client privileges can be properly guaranteed. For example, Zoom boosts the use of end-to-end encryption, but recent reports show this is not entirely accurate. While Zoom does use end-to-end encryption in certain settings, video meetings use another form of encryption that does not restrict the company’s ability to access those communications.

And, of course, Zoom alone can’t stop the trolls from invading your zoom meetings, especially those you’ve shared publicly. Even the FBI is warning about zoom bombing. There are ways to limit that, though by being prudent with your Zoom settings.

Zoom Responds, but is it Enough?

In response to mounting concerns, Zoom updated their privacy policy over the weekend, stating that customer content will not be used for advertising and that videos are only retained if users request it.  This update is important and it is good to know that the brand of wine we are toasting each other with during our zoom happy hours won’t be sold to a digital marketer.  However, in a blog post about the changes, Zoom’s chief legal officer, Aparna Bawa, said that new policy only clarifies what information they collect, and does not change the companies practices. Zoom also removed code from their platform that sent data analytics to Facebook, after reports surfaced last week.

Despite these minor changes, it may not enough to protect user privacy and guarantee confidentiality for industries that require it.  Zoom is, indeed, booming and it’s hard to see it receding dramatically in a post-Covid world.  Let’s hope it takes all the reasonable steps it should to respect privacy along its ride.

Hacks Against Healthcare Industry on the Rise

Hackers are continuing to use the coronavirus crisis for personal profit. We recently wrote about the increase in malicious sites and phishing campaigns impersonating the World Health Organization and other healthcare companies. But now hackers appear to be turning their sights to the healthcare sector itself. Here are two notable cases from the past few weeks.

WHO Malware Attempt

Earlier this week, the World Health Organization confirmed hackers attempted to steal credentials from their employees. On March 13th a group of hackers launched a malicious site imitating the WHO’s internal email system. Luckily, the attempted attack was caught early and did not succeed in gaining access to the WHO’s systems. However, this is just one of many attempts being made to hack into the WHO. The chief information security officer for the organization Flavio Aggio told Reuters that hacking attempts and impersonations have doubled since the coronavirus outbreak.

Similar attempted hacks against other healthcare organizations are popping up every day. Costin Raiu, head of global research and analysis at Kaspersky, told Reuters that “any information about cures or tests or vaccines relating to coronavirus would be priceless and the priority of any intelligence organization of an affected country.”

Ransomware Attack Against HMR

Unlike the attack on the WHO, a recent ransomware attack was successful in stealing information from a UK-based medical company, Hammersmith Medicines Research (HMR). The company, which performs clinical trials of tests and vaccines, discovered an attack in progress on March 14th. While they were successful of restoring their systems, ransomware group called Maze took responsibility. On March 21st, Maze dumped the medical information of thousands of previous patients and threatened to release more documents unless HMR paid a ransom. HMR has not disclosed how the attack occurred, but have stated that they will not pay the ransom.

Four days after the initial attack, Maze released a statement saying they would not target medical organization during the coronavirus pandemic. Yet, this did not stop them from publicizing the stolen medical information a week later. After the attack gained publicity, Maze changed their tune. The group removed all of the stolen files from their website, but blamed the healthcare industry for their lack of security procedures: “We want to show that the system is unreliable. The cyber security is weak. The people who should care about the security of information are unreliable. We want to show that nobody cares about the users,” Maze said.


 Times of crisis and confusion are a hacker’s delight. The staggering increase of hacks against the healthcare industry only help prove that.  The key to mitigating these threats is to ensure that security configurations are set to industry best practices, continuously scan your networks, lock down or close open ports, secure or (preferably) remove Remote Desktop Protocol, and require Multi-Factor authentication for any remote access.  And certainly, make sure you are testing your incidence response plan.

Subscribe to our blog here:

Coronavirus and the Right to Privacy

Coronavirus and the Right to Privacy

 The coronavirus has unquestionably changed the way we live. It has also forced us into strange and, until just a few weeks ago, unthinkable ethical dilemmas. To visit loved ones is worth genuine ethical reflection. Modern nations, especially in the West, are built on an ethics of individual freedoms and the right to privacy. However, the current global health crisis is forcing us to rethink just how fundamental those ethics should be. While we already feel this with regards to the freedom of movement, we are just beginning to contemplate how the coronavirus can and should effect our right to privacy.

Contact Tracing and Enforced Quarantine

In order to limit the spread of the coronavirus, experts emphasize the importance of tracking every contact infected patients have had with others. Countries such as China, Singapore, South Korea, and Taiwan have all taken aggressive measure trace all potential contact infected people have had. These measures are widely considered to be a large reason why these countries have been successful in lowering the rate of transmission. However, the aggressive measures taken have come at the cost of individual privacies.

Taiwan and Singapore, for example, regularly post detailed information about everyone who test positive, including where they live and work, what train stations they have used, and what bars and restaurants they frequent. South Korea now has an app that allows users to track the exactly movement of those infected.

Countries are also using location data to enforce quarantine for those infected. Israel, for example, is now using data collection techniques previously used for counterterrorism efforts to identify anyone potentially exposed to the virus. The government uses this information to send text messages to those exposed ordering them to quarantine.

European and the U.S. Response

As the coronavirus spreads to Europe and the U.S., lawmakers are exploring the use of similar techniques. Italy now uses location data to monitor whether people are obeying quarantine orders. In the U.S., the White House is reportedly in conversations with tech companies to use anonymized location data to track the spread of the virus. HIPPA regulations are being waived to allow doctors and mental health providers to more freely use telecommunication to speak with patients. Companies in Italy, Austria, and Germany have also announced that they will provide location data to governments.

However, with privacy regulations such as the GDPR, it is unclear how aggressively European countries will be able to use personal information. The European Data Protection Board (EDPB) released a statement urging governments to continue to abide by privacy regulations in place. At the same time, however, the EDPB conceded that countries may suspend such regulations “when processing is necessary for reasons of substantial public interest in the area of public health.”


Relaxing the right to privacy has garnered mixed responses by government officials and security experts. Many have pointed out that while the measures taken are extreme, personal information such as location data is highly effective in limiting the spread of the coronavirus. “We are stretched very thin in most states,” said the director of the Center for Global Health at Oregon State University, “so this kind of technology can help every state to prioritize, given their limited resources, which communities, which areas, need more aggressive tracking and testing.”

Others are concerned how this could endanger those whose information is made public. In South Korea, some have used information released by the government to identify infected individuals and attack them online. This has led officials to question how the government uses this information, worrying it will discourage others from getting tested for fear of being publicly exposed.

While nearly all countries have explained suspending the right to privacy is a temporary measure for the benefit of the public health, many worry it will have a permanent effect on how governments and countries view privacy concerns. After 9/11, for example, the U.S. used highly invasive surveillance measures that have since become common place among law enforcement agencies. According to the New York Times, privacy experts worry something similar could happen after the current crisis.

What restrictions we, as a society, can tolerate, and what effect this will have after the current crisis remains an open question. However, it may also involve a false choice.  There are technologies to both assist contract tracing and preserve anonymity.  Privacy by Design does not have to be put on pause as we develop these tools.  In fact, if we want to encourage wide adoption, it might be required.

Subscribe to our blog here: