COVID-19 scams (or: People Are The Worst).

Proving once again that in every crisis there’s someone who sees an opportunity:

#LASD Warning of spike in online scams & hacking attempts related to the COVID-19 emergency.

Scams like this are nothing new. They’re pure, unadulterated opportunism, and they’re uniformly shoddy (in both purpose and execution) attempts to exploit people who are too stressed, ill-informed, or just plain busy to be able to filter information to the fullest extent.

Fortunately there are a few simple rules that you can adhere to that will protect you against the vast bulk of email/text/phone scams.

Consider the source of the information. Where is it purportedly coming from? What government agency is communicating with you, and does it sound legitimate?

A few years ago a common scam was to scare people into handing over bitcoin under threat of exposure of their browsing habits. Based on the idea that either guilt or the perception of guilt was a powerful motivator, scammers peeled email addresses and paired passwords from info dumps taken from large commercial hacks (e.g., the Target and Zappos customer database hacks) and would send threatening emails to folks with their passwords in plain text as proof that the scammer had legitimate access to the victim’s computer. It was moderately ingenious, but rather hampered by the fact that the fiction that surrounded a lot of the examples that we received panicky communications about revolved around the sender being a CIA or FBI agent.

The CIA or FBI don’t care a hoot about domestic malfeasance, and certainly not about what you look at on the internet provided that something isn’t state secrets that you’re sending to a foreign power. Likewise, the IRS isn’t telling you that there’s been a COVID-19 outbreak in your area and that you should immediately send them a $29 evacuation fee. And Government agencies will always send email from a .gov email address; never a .com/.net/.whatever-else.

Anything that sounds too good to be true is always too good to be true. There are no miracle drugs available to treat Coronavirus/COVID-19. Essential Oils and Lemon Soap do not help. Solicitations to buy equipment or treatments or sanitizing products that are an easy sell, but they’re a scam.

The Government knows who you are already. There’s been a spate of fake “verification request” emails going around – telling folks that they’re eligible for emergency assistance and funds, but that before the federal government can cut a check they just need a little information first. Trivial things, like name, age, address, social security number. Maybe even banking details. Things that the Federal Government has already (or has no reason to ask for). If the only vector that the Federal Government has to communicate with you is your email address then that should send up some red flags.

Don’t give anyone your personal details – not your address, date of birth, banking information, usernames or passwords. Not ever, not under any circumstance. The people or organizations who need to contact you will have that already.

Scammers can’t spell. This applies to almost all scams on the internet, and again, it’s moderately ingenious. People who are too rushed or impaired to notice typos, serious grammatical errors, incorrect punctuation or flat out spelling mistakes are the target audience for scammers. It’s sort of reverse filtering; the people who’d notice those errors aren’t the target audience and are less likely to fall for a scam, whereas people who skate over those errors are more likely to be vulnerable and go along with what they’re being sold.

When in doubt, ask someone else. It doesn’t have to be your IT guy, or your boss – if something comes across your desk and you have concerns about legitimacy then talk to a co-worker or family member and have a second pair of eyes look at it before acting on it. This is something that I wish more folks would do; there’s an ego hit that you might take if you ask someone if the thing you’re looking at is fake and it is, and you might feel like an idiot. But we’ve seen powerful, intelligent, organized people get pulled in by scams and phishing attacks because nobody can be 100% attentive and execute perfect judgment 100% of the time. Running something past someone else is a remarkably efficient way of mitigating the issue.

Stay safe, stay healthy, and stay indoors for a while. These are trying times, and this current unpleasantness is tough on all of us; individuals, families and businesses both large and small. And – speaking as a small business – I’d very much like as many of you as possible to be here once this all blows over…