From video calls and social media to online shopping and banking, the coronavirus pandemic has made the online world even more vital to everyday life. But that also means we have to be more vigilant online, as scammers looking to steal our personal information and money adapt their techniques to the COVID-19 crisis. In fact, as much as £2 million has already been lost to coronavirus-related scams in the UK since the start of the pandemic according to Action Fraud. We've talked to experts on scams and cybersecurity, so click or scroll through to find out more about the tell-tale signs to look out for and how to keep yourself safe.
Phishing is one of the oldest online scams in the book, where a fraudster impersonates a legitimate company, or more recently organisations such as the WHO or a country's government (see pictured), via email. The message might ask the sender to correct a mistake in their login details, or to open an attachment or link for advice on the pandemic or the latest statistics on the COVID-19 outbreak. However, they will instead be directed to a bogus page that allows attackers to steal their personal information. And Britons are most at risk, with 20.8% of all coronavirus-related spam being sent to UK email addresses, meaning that the UK is the most targeted nation for fake pandemic emails, according to research by Trend Micro.
According to Robert Pritchard, founder of consultancy firm The Cyber Security Expert, these scams can be difficult to spot. “Some are super obvious because they’re really poorly spelt and don’t make any sense. Yet others are perfect. There’s no consistent thing to look for.” But there is one thing they all have in common: a sense of urgency. “These emails always use hooks, wanting you to make a decision quickly or get you worried about something,” Robert adds. The pictured "all staff" email with advice on the pandemic looks like it could be from a genuine address – ending careyn.nl – but the poor use of grammar and spelling (highlighted in red) reveals that it's in fact bogus. The link "SURVEY/SEMINAR" will take you to a page that asks you to enter personal information, details the scammers plan to steal.
So you’ve received an email that you think may be a scam – what now? Deborah Vickers of financial website MoneyGuru says: “Don’t provide any sensitive data to anybody.” If you’re not sure if an email or a phone call is legitimate, verify it. And it's not just through emails that they can catch you with dodgy links: UK resident Doug Varey was tricked out of £4,000 after he clicked on a pop-up advert for computer security protection. It offered 12 years' worth of protection at £556, after which the so-called security firm called him up saying someone was trying to take his data, advising him to pay the £4,000 to end the issue. The fraud case was investigated by the British and Indian Police along with Microsoft, who managed to shut down the criminal operation in Kolkata following a four-year investigation.
It sounds a little like phishing, and that’s because it is. But pharming is a little more sophisticated, meaning it can be harder to get caught out. Essentially, it’s where a legitimate website, often an online banking or e-commerce site, is manipulated to direct you to a fake site. The bogus site either installs malware on your computer or harvests (‘pharms’) your personal data. And it is important to be more vigilant than ever: more than 3,600 new domain names containing the word "coronavirus" have been created since the outbreak according to FraudWatch International, many of which are used for phishing and pharming.
Unfortunately, with pharming there aren’t many clear-cut signs. Check the URL of the site you want to visit, to make sure it’s spelt correctly, and ensure it’s prefixed by ‘https’ – the ‘s’ stands for ‘secure’. Pictured is a scam text sent in by one of our loveMONEY readers supposedly from the Royal Bank of Scotland, but if you look carefully the 's' is missing from 'https' in the link.
So if the email has come from an unknown sender, don’t click on any links. A good example is the pictured email which is supposedly from supermarket Tesco. However, the sender's email reads rtfritz@ptd.net and it is addressed to a generic 'Customer'. Robert Pritchard says: “If you’re unsure if an email is legitimate, and it’s nothing at all to do with you, then just delete it. Go with your web browser the way you log in normally, which you trust, so you know you’re not being lured to a fake site."
Text scams are a little harder to spot than those done via email as SMS are short in nature, minimising the chance of spelling or grammar errors, and it is common to see URL-shorteners for the same reason. That said, bad grammar and spelling are still things to look out for in suspect text messages, as are links that don't match the company or institution's name. HMRC will never ask for any personal or financial information over text, so that's one big clue.
If you receive an unsolicited text, the government advises people not to reply, click on any links or call the telephone number provided. If you have had contact from the company or HMRC before, reach out to them independently through the means that you have previously had contact, so that you can be sure you're not interacting with a fraudster. HMRC advises that people send any phishing text messages to 60599 and any emails to phishing@hmrc.gov.uk. You can also report scams to Action Fraud.
As lockdown has made us more reliant on technology for communication and entertainment, it is important to be aware of the threat of fake apps. In the same way that not all websites are what they say they are, sometimes fraudsters create fake versions of legitimate apps to take your money and data. They do this through ‘trojans’, malicious software hidden in apps, which infect your phone and stay active in its memory, performing background tasks like opening fraudulent webpages without your knowledge.
Bank transfer scams are on the rise, with the amount of money stolen from UK bank accounts by criminals having increased by 40% in the past year, according to banking body UK Finance data released in September 2019. That translates to as much as £1 million lost every day. Most of this money was lost through authorising payments to accounts controlled by criminals, known as authorised push payment fraud, which often involves scammers hacking into a victim's email account and then accessing bank details through means such as the telephone. HSBC identified 17,000 fake calls of this nature in 2019 – double that of 2018 – and has started to collect a library of scammers' voice prints. The bank blames a "significant number of high profile third-part data breaches, phising emails and scam text messages that have taken place over the last couple of years".
But bank transfer scams are getting more sophisticated, says Brian Higgins, security specialist at Comparitech.com. “It’s very easy these days because there’s so much intellectual property available online. Scammers can just take logos, letterheads, letter footers off the internet and create a letter or email that looks legitimate. The places you need to look aren’t in the content, it’s everywhere else – it’s in the email header, it’s in the email addresses that people use,” says Brian. Often, scammers will monitor your emails before creating an email address that’s almost exactly the same as one you’ve corresponded to in the past – perhaps they’ll change an “o” to a zero, for example. The changes will often be very subtle.
Let’s say you get an email, which you think is from your bank, saying that your account details have changed. What should you do about it? “If there is any change of details, especially if you’re dealing with large sums of money, phone up your bank and ask them”, says Brian. “Just because the internet is there, doesn’t mean you have to use it for everything. Alternatively, go into a branch of your bank”. Likewise, if your bank calls you, don't provide any personal information, but contact them the way you normally do, even if that means hanging up and ringing your bank again.
Facebook has more than two billion global users and Instagram has more than a billion. With so many of us using social media every day, especially during the coronavirus pandemic, it’s become an easy target for scammers. One common Facebook scam looks like this: a friend sends you a message with a link in it, saying, "Is this you?" If you click the link, it’ll direct you to a fake Facebook login page, which is actually run by fraudsters wanting to steal your data. There are also plenty of bogus Instagram accounts promising money in return for following or clicking on a link to a malicious site.
Discover Facebook's timeline and the staggering numbers behind its success
Deborah Vickers says: “If you’re thinking it’s too good to be true, it probably is. In terms of Facebook or Instagram impersonation scams, the hijacker is pretending to be that person.” In a particularly sinister scam in June 2019, scammers set up fraudulent accounts claiming to send aid to Sudan, such as “Sudan Meal Project” (pictured). They then would try to build up a following in order to cash in on advertising and sponsorship. As many people have been fundraising for the NHS and charities such as The Trussell Trust during the pandemic, be careful about what accounts you follow on social media and whether they are legitimate fundraising initiatives.
Now read about the heroic ways Brits are raising money to help fight coronavirus
Fraudsters have no qualms about playing with your heart to get hold of your money, and sadly rather than falling in love many people have fallen for scams when using dating websites. In fact, romance scams are on the rise and in the first half of 2019 £7.9 million was lost to online dating scams according to UK Finance. A survey by the body also found that 27% of respondents had been "catfished". i.e. tricked by a fake persona, in the last 12 months, and that 21% had been asked to send money or had sent money to someone they were speaking to online.
It can be hard to spot a dating scammer online, especially as fraudsters often research you and spend time working out the right things to say. However, there are a few things to be aware of. Unlike real daters, scammers typically won't ever want to meet up and will want to hide behind the fake persona they have created. The FBI states that fake profiles often say that they are in the construction industry and working on projects outside of the country to explain why they can't meet in person – and this also gives them a good story as to why they need your financial help. However, due to the pandemic scammers have a legitimate excuse not to meet up in person, making this scam even more difficult to spot, especially as some scammers will engage in phone calls to create a stronger connection and make the relationship seem real. Others may ask for inappropriate photos to blackmail you later down the line.
If you have suspicions about someone you are speaking to, search their name and reverse image search their profile picture on the Internet to check if the results seem legitimate (pictured). To prove that someone is genuine you are looking for more than a Facebook profile that a scammer could have easily set up, but an established presence that would be hard to fake. Also, ask lots of questions when you talk to them. You should never send money to someone you don't know personally, but if you already have and suspect it's a scam contact the authorities, such as the UK's ActionFraud reporting centre.
Like many other types of cybercrime, ransomware attacks are becoming more targeted and harder to spot. “Back in the day criminals just used to fire off an email to as many people as possible,” says Brian Higgins. “It’s a lot more sophisticated now, because there’s so much information about people online, on sites like LinkedIn and Facebook. If a cybercriminal gang decided that a particular business had a lot of money, rather than sending out 100,000 speculative emails, they would pick a person in that organisation and look them up online before launching a ransomware attack.”
Crypto-what? It’s a bit of a mouthful, but cryptojacking is basically when cybercriminals download software onto your device to secretly mine cryptocurrency. How? By either sending you an email that contains a link which downloads the software when you click on it, or by hiding the code in an advert or on a web page that again activates it when you click on something. It’s a cybercrime that's on the increase, with cybersecurity company McAfee Labs reporting in August that there was a 29% rise during the first quarter of 2019.
How the Winklevoss twins beat Facebook and became Bitcoin billionaires
As is the case for ransomware scams, prevention is key. “Make sure that you scan your networks regularly”, says Brian. “There’s free software available online that you can download. I scan my computer once a month, just to make sure”. It’s also worth improving your web browser’s security by using a good quality VPN (Virtual Private Network), which adds another layer of security to public and private networks, increasing your privacy by replacing your IP address with one from the VPN provider. Some VPNs are even designed especially to prevent ransomware scams and cryptojacking.
Now read about the work-from-home jobs that are hiring right now