Annette Riedl | picture alliance | Getty Images
The authentic looking email from the World Health Organization isn’t real at all but rather clever spam meant to steal personal information.
Callers claiming to be Medicaid and Medicare representatives are offering so-called free COVID-19 tests — as long as you pay with a credit card for shipping.
And then there’s the Centers for Disease Control and Prevention asking for donations, except it’s not the CDC, but a fake website.
Corporate security and consumer officials say these recent examples to exploit the pandemic are just the beginning of a tsunami of fraud.
“Two ingredients of a good scam are fear and confusion, and we have both of those right now,” said Adam Gerber, consumer watchdog at U.S. PIRG, a federation of public interest research groups. “So, it’s a playground for people who want to take advantage of others.”
IBM’s corporate security last week discovered a particularly malicious email spam campaign that mimics the World Health Organization. But that’s where it ends. “It is remarkable how threat actors play with the fears and hopes of their potential victims,” IBM’s internal security team said in an alert. “Speaking of prevention drugs and cures in an email that is spoofed to appear directly from the Director of the WHO, in this current situation is expected to be highly successful.”
The company’s alert said victims’ computers are infected and “face the loss of critical personal information. This can have even more damaging consequences once their financial information is stolen and exposed.”
According to an analysis by IBM’s internal security research team, X-Force, the number one country where the coronavirus spam emails are coming from is Vietnam. That’s followed by the United States, China, India and Russia.
The spike from Vietnam followed a fake email campaign over the weekend that asked for contributions to a fake WHO bitcoin wallet.
“Criminals don’t care about geographic borders. When you have an established population that’s good with technology, you are going to have technological criminals as well,” said Charles Henderson, global managing partner for IBM who heads X-Force Red, an autonomous team of veteran hackers in the company’s internal security unit. The group discovers vulnerabilities for IBM clients.
Fake tests and products
Henderson has been monitoring coronavirus-related email spam for IBM’s corporate clients, which include health-care facilities. He said victims have paid scammers for a supposed COVID-19 test and then showing up at real hospitals.
“What they are being told was to pay for your test online and go to this health-care provider,” he said.
He predicted that the next wave of scams and spam would target businesses whose employees are largely working from home and potentially more vulnerable.
The FBI last week warned against phishing emails related to charitable contributions, general financial relief, airline refunds and fake cures, testing kits and vaccines.
“Look out for phishing emails asking you to verify your personal information in order to receive an economic stimulus check from the government,” the FBI said. “While talk of economic stimulus checks has been in the news cycle, government agencies are not sending unsolicited emails seeking your private information in order to send you money.”
In its first enforcement action against COVID-19 fraud, the Justice Department announced Sunday that it filed a civil complaint against the operators of the website “coronavirusmedicalkit.com” for “engaging in a wire fraud scheme seeking to profit from the confusion and widespread fear surrounding COVID19.” The site claimed to offer consumers access to the World Health Organization’s vaccine kits in exchange for a shipping charge of $4.95 paid by credit card. A federal judge issued a temporary restraining order against the registrar of the website to block access to it.
The site, which was still active Sunday, said, “You just need to add water, and the drugs and vaccines are ready to be administered. There are two parts to the kit: One holds pellets containing the chemical machinery that synthesizes the product, and the other holds pellets containing instructions that tell the drug which compound to create. Mix two parts together in a chosen combination, add water, and the treatment is ready.”
Six “recent users” with their photos are listed on the site. CNBC found the same photos with the same names on another site giving away “free” Apple AirPods for just $10 shipping.
The goal in these scams, authorities say, is to get credit card information.
Last month, retail giant Amazon said it had blocked or removed more than 1 million products from its third-party marketplace that made false claims about the coronavirus. And the watchdog for the Department of Health and Human Services on Monday issued a fraud alert for coronavirus scams such as fraudulent testing kits and treatment across the country.
“Scammers are offering COVID-19 tests to Medicare beneficiaries in exchange for personal details, including Medicare information. However, the services are unapproved and illegitimate,” the HHS alert said.
Amanda Carlile, a Dallas family practitioner nurse, said she received two calls last week asking if she had Medicare or Medicaid. The second caller specified that it was for a free COVID-19 test kit.
“I said you are just scamming people and (the caller) just hung up,” Carlile told CNBC. “It’s sad because people are so panicked and frightened. They obviously don’t have free test kits.”
Asked if the mushrooming coronavirus fraud is worse than previous campaigns to steal from the most vulnerable, IBM’s Anderson said, “It’s far more insidious. These are people who have been doing this for years. In most cases, it’s their way of life.”
—CNBC’s Andrea Day contributed to this report.