How businesses and individuals can be ensnared by coronavirus-related spam

Many people said they would respond to emails claiming to be from the IRS or WHO, according to IBM X-Force.

COVID-19: Security risks are increasing as more people work from home

Cybercriminals have been busy exploiting the coronavirus by creating malicious virus-themed websites, apps, and emails. Phishing emails have been an especially popular tactic. The goal is to trick unsuspecting users into downloading malware by promising them information and help on topics related to COVID-19. Despite warnings cautioning people to be suspect about such emails, many business users and consumers would still take the bait, according to a report from threat intelligence provider IBM X-Force.

Released on Thursday, IBM X-Force's 2020 Consumer & Small Business COVID-19 Awareness Study found that many people don't understand that certain government agencies, such as the IRS, would never contact them by email. Further, some small business owners are unclear over how to take advantage of US government funds and resources as a result of the coronavirus outbreak.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium) 

Among the respondents to IBM X-Force's survey, 46% said they'd expect to receive official information related to COVID-19 via email, while a third would expect to receive it through conventional mail. Specifically, 35% said they'd expect to receive communication from the IRS by email, while 33% said they'd expect to receive notices from the World Health Organization by email.

These results fly in the face of warnings from the IRS that it never initiates contact with taxpayers by email, text messages or social media channels to request personal or financial information. Similarly, the WHO has warned people to watch out for fraudulent emails that spoof the organization.

As the coronavirus has spread, people who are naturally concerned about catching the virus want to know about testing options. In response, cybercriminals have been deploying phishing emails that allegedly promise testing information. Some 39% of respondents said they'd engage with an email about COVID-19 testing, meaning they would click on a link or file attachment. Those who are employed were more likely to say they'd respond to an email about testing than did those who are unemployed.

Businesses and workers have been hurt financially by the coronavirus quarantines, and so the US government has been offering loans to help them stay afloat. As some of this funding would come from the Small Business Administration, IBM X-Force said it's analyzed spam campaigns that impersonate the SBA and promise people government relief funds. Such emails trick recipients into opening a file attachment that then triggers malware to collect sensitive information and even control a victim's device.

sba-scam-ibm-x-force.jpg

Image: IBM X-Force

Some 58% of small business owners surveyed said they were familiar with the loans being offered by the government, but only 14% feel knowledgeable enough about the process to get access to the program. In the face of the SBA relief scams, more than half (52%) of all respondents and 64% of those recently unemployed said they'd engage with an email related to their stimulus relief eligibility.

To better defend against coronavirus-related scams, IBM X-Force offers the following recommendations:

  1. Use trusted sources. When looking for information, go directly to the website of the organization instead of clicking on links to redirect you there.
  2. Don't open unsolicited attachments. Never open attachments or links from unknown sources.
  3. Be on alert for COVID-19-related scams. Do not engage with unsolicited emails or texts pertaining to small business relief funding, the Paycheck Protection Program, or unemployment funding. These emails will typically try to prompt you to share sensitive information, spoof login pages to steal sensitive account credentials. or lure you in to open malicious attachments.
  4. The IRS will never email you. For security reasons, the IRS will never email or call people. Instead, you'll receive communications from them via snail mail. The institution has been directing people to IRS.gov to address questions.
  5. Watch out for fraud speak. This includes a peculiar use of words, odd spelling (e.g., British English), and typos in emails that spread a sense of urgency or fear.
  6. Update and patch. Nearly 90% of vulnerabilities spammers exploited in 2019 were traced back to known vulnerabilities. It's essential to update your software and make sure your antivirus is always up to date.
  7. Use multifactor authentication (MFA). Use multifactor authentication on anything that enables remote access. For example, if you have MFA on your bank account and someone tries to log in, they can't do so without your authentication.

Also see

View on a medical mask on an open laptop pc.

Image: Getty Images/iStockphoto