COVID-19 Email Exploitation
As with any crisis, the COVID-19 pandemic has seen its fair share of exploitation. These scams run the gamut; from fake testing kits, face mask scams, stimulus payments spoofs. Loan reduction and refinance scams are also seeing an uptick because of the historically low federal interest rates. Scammers are using all types of tactics, including robo-calls, email blasts, even setting up entire scam websites.
Fortunately the Federal Trade Commission (FTC) has been fairly proactive in providing up-to-date information on these scams (see https://www.ftc.gov/coronavirus). They have also issued a large amount of Coronavirus warning letters to various companies using misleading wording or outright lies in the advertisements and website content.
But still, there is no shortage of active scams popping up daily. Below are some of the most common email-based scams to look out for right now, and how to protect yourself from them:
#1 Emails supposedly from the CDC, IRS, or Social Security Administration
If you receive any unsolicited email where the sender claims to be from a government agency, think before you act. These emails should immediately raise a red flag; government agencies will never send emails to solicit private information from you, or threaten withholding benefits or money for non-action. They will send you a letter in the mail for any official notices.
Be on the lookout for the following:
- Emails from the IRS claiming they need more information to send your stimulus check
- SSA emails or calls claiming your Social Security Number is going to be suspended
- Emails claiming to provide testing kits, or a vaccine/cure from the CDC or other government agency
- Messages from the World Health Organization (WHO) with links to official safety measures or guidance
If you receive any suspicious emails (or calls) relating to these scams, NEVER give out your personal information like your Social Security Number or banking info. over email or phone. Do not download any documents from email links. Instead, go direct to the organization’s website and search for the information directly (such as https://cdc.gov).
#2 Fake Charities
If you receive an email supposedly from a charitable organization asking for donations, please be cautious. Usually, a charity will not send unsolicited emails to people who have never donated to their organization. If you do receive an email to a charity you recognize, make sure the sender’s email address is from a domain that actually matches the public website of the charity. Do the same for any links in the email to make sure they are not leading you to a fake website. Better yet, do not click on those links directly. Instead, type their domain directly into your browser and navigate to the donation section yourself.
Here are some tips to help avoid these types of scams:
- Check out the charities reputation be searching for it online, looking for reviews or scam notices. You can also use tools like the BBB Wise Giving Alliance or Charity Navigator.
- If in doubt, you can ask for an ‘Entity Status Letter’ from the IRS, which will show their organization name and EIN and indicate that they are tax exempt. You can also do an online search for them on the IRS website here.
- Use a credit card to make your donation instead of cash or bank wire. This will provide you some protection. Also check your statement to make sure you were not charged more than your donation amount, and they are not charging your card monthly without permission, etc.
#3 eCommerce Scams
As with any emergency, there will always be items in high demand and short supply. I’m not sure who would have predicted it would be toilet paper this time! Taking advantage of people’s fears and anxiety, scammers will offer items like face masks, face shields, sanitation products, etc. through fake eCommerce websites. Here’s how you can protect yourself:
- If you receive an email selling one of these high-demand products unsolicited, by VERY cautious. Most of these will take you to a website that may appear to be legitimate. They may even have a trusted SSL certificate (with the ‘lock’ icon in the browser’s URL bar), but you may never receive your order after payment.
- Check for the reputation of the seller by doing an independent search for their name looking for reviews or notices that they are scamming buyers.
- Never use a service like Zelle or Venmo to pay for these types of online purchases. They do NOT offer any buyer protection and should only be used to pay friends or family. Always use a credit card with fraud protection or a service like PayPal that offers protections.
- Be wary of eCommerce emails coming from personal email addresses (like gmail.com or yahoo.com). Scammers will use these free email addresses while most reputable businesses will send from their public website’s domain.
How to spot email spoofing
When you receive a suspicious email and you’re not quite sure if it’s legitimate, you can perform the following checks:
- Look at the actual sender address. This is NOT the displayed name of the sender, but rather the email address, usually denoted in brackets. For example, a message sender could show as “John Doe (IRS)” <john.doe@.irs.somedomain.ru> The part in quotes should be disregarded when trying to determine the authenticity of the email. Look at the section in <brackets> for the domain (‘irs.somedomain.ru’). Even though you see ‘IRS’ in the domain, you need to look at the very last part (somedomain.ru) to see where it’s coming from. If the last part (the ‘top-level domain’) is NOT ‘.gov’ but it’s supposedly from a government agency, it’s most likely fraudulent.
- SPF validation: Most larger organizations will define an ‘SPF record’ that lists which servers are allowed to send emails from their domain. You can view the results of SPF checks on many email clients such as Gmail by clicking on the sender’s name at the top of the email. It will then provide the PASS/FAIL result of the SPF check.
- DKIM signature: Some organizations are now also providing a ‘DKIM signature’ on their outgoing emails. This is an electronic signature in the email header (not visible to the reader). It’s used by your email provider to verify that the message actually originated from a computer authorized to send from the sender’s domain. If the signature is valid, then your email provider will be more likely to deliver the email, and may also indicate this result to you, similar to the SPF check.
- Be aware of ‘look-alike’ domains in the email as well. For example, instead of ‘bankofamerica.com’ you may receive and email from ‘bank0famerica.com’ (with a zero instead of the ‘o’). These emails may pass SPF and DKIM validation, and therefore may arrive to your inbox, so you have to be very careful to read the domain part closely.
Another even better marker of the authenticity of an email is an S/MIME digital signature. This is a cryptographic ‘stamp’ applied to the email using an individual’s digital certificate. It confirms that the message is from the identity listed in the certificate. An S/MIME signature is similar to when you connect to an HTTPS website and your browser shows that the connection is ‘trusted’ based on the certificate presented by the website. An S/MIME signature also guarantees that the email body and attachments have not been modified since the time they were signed.
GlobalCerts specializes in S/MIME digital signatures and encryption; which are fast-becoming a “MUST-HAVE” for many financial institutions, law firms, and real estate companies. Being able to digitally sign your emails to customers and other business partners is absolutely vital towards giving them strong confidence in the authenticity and trustworthiness of your email communications.
Scams are everywhere and it’s so unfortunate that people are preying on the public’s fears during these tough times. Thankfully though there are a lot of tools out there to filter out most of the phishing and scam emails. Using a dedicated spam and virus filter like those provided by GlobalCerts’ technology partner Zerospam goes a long way to stop these scams before they even hit your inbox. A good filtering solution will automatically perform the SPF and DKIM checks above. They’ll also perform a myriad of other content and reputation tests to ensure that you will never see the vast majority of these scams. Nevertheless, it’s vital to understand the tactics used to spot them when they do show up. Stay safe, and when in doubt, delete the email!
Sources and More Information