Revised – November 19, 2021

The vast majority of Americans have pulled together during the coronavirus pandemic.

There have been a lot of disruptions and a ton of misery for many businesses. While some of the pain has been a tragic byproduct of the pandemic, some has been intentional by a few dishonest souls.

Since the pandemic began, several scams have popped up. Some are variations on old scams, while others are new. Whether you are a consumer or a small business, you have to protect yourself more than ever.

Here are several scams that have been occurring more and more frequently since the start of the pandemic.

Watch Out for These Coronavirus Scams

Here are some of the coronavirus scams currently making the rounds.

Fake contact tracers. Contact tracers work for state health departments and track people who may have been exposed to Covid-19. They provide a vital function in stemming the spread from one person to another. The scammers pretend to be contact tracers to steal your identity and empty your bank accounts.

A legitimate tracer will contact you to discuss Covid-19 test results, either for you or someone you know. Legitimate tracers will only ask you for limited information (name, address, health information, and names and places you have recently visited). As we’ve progressed further into the pandemic, tracers are not as prevalent, but nonetheless dangerous.

Scammers posing as tracers may ask you for money, your Social Security, bank account, or credit card numbers. Also, do not share your immigration status or download any links sent to you from someone asking for this type of information. If you think you are dealing with a fake contact tracer, contact your state health department to see what steps you can take.

Fake stimulus payments. Many Americans have enjoyed one or more rounds of stimulus payments. But taxpayers have also been flooded by false information, calls, text messages, and emails from scammers trying to steal personal information.

Be alert for people attempting to trade your personal information for the promise of a payment.

The following will help you protect yourself if you have a special situation:

• If the IRS doesn’t have your direct deposit information, you can go to the “Get My Payment” feature at irs.gov/coronavirus and let them know where to send your direct deposit.
• If you don’t usually file a tax return, go to irs.gov/coronavirus to access the “Non-filer” portal and to determine what, if anything, you have to do to claim your money.
• To check on your payment status, you can now use the “Get My Payment” feature at irs.gov/coronavirus.

The IRS will not contact you by phone, email, text message, or social media with information about your stimulus payment, nor will they ask you for your Social Security number, bank account, or government benefits debit card account number.

You don’t have to pay a fee to get your stimulus money, and you will never be asked to send back your stimulus money after it has been sent to you because someone claims you were overpaid.

Fake charities. Now, more than ever, charities are desperate and need help. The pandemic continues to put many people in dire straits, and the demand for services continues to stretch a lot of nonprofits. Scammers know this and will reach out to you by phone or online to take advantage of your generosity. If you haven’t heard of a particular charity before, research the charity and ask lots of questions before committing to a donation.

Fake personal protective equipment. Masks, gloves, face shields, and hand sanitizers are still in relatively high demand for healthcare professionals, others providing essential services, and consumers. Websites may offer to sell you these items, but after paying for the products, you never get what you ordered. The scam is further legitimized by creating a shell company that sounds official or similar to a well-known provider to gain your trust. In other instances, when PPE equipment arrives, it is either the wrong size or defective, in part because companies substitute products without a customer’s permission.

By law, sellers are supposed to ship your order within the time stated in their ads or within 30 days if the ads don’t give a shipping date. If a seller can’t ship within the promised time, it has to give you a revised shipping date, with the chance to either cancel your order for a full refund or accept the new shipping date.

Fake test kits. Ignore offers for home Covid-19 test kits. One thing that has improved during the pandemic is the infrastructure to support rapid and accurate testing. That doesn’t mean scammers won’t continue to try and sell you products to diagnose whether or not you have the virus without proof that they work. Early on, most of the test kits advertised had not been approved by the FDA, meaning that they were not accurate and could put you at even greater risk due to giving you a false sense of security with a false negative result. The best advice here is to steer completely clear of any at-home Covid-19 testing and either find a public testing facility or contact your healthcare provider.

Fake cures. Let’s be clear up front. Right now, there is no cure for Covid-19. Vaccines provide a high measure of protection, but they only lessen symptoms and DO NOT provide a cure. You have probably already seen a lot of different homeopathic “secret,” or newly discovered ways to treat symptoms. Unless medical experts tasked with finding ways to address the cure tell you what is working, don’t believe what you read. Not only is it not smart, putting your faith in a remedy that does not work could be deadly.

In May 2020, the FTC announced that it had sent out more than 120 warning letters to marketers making false claims about cures for Covid-19.

In late July 2020, the Federal Trade Commission filed charges against two companies for making false remedy claims. The companies, Golden Sunrise Nutraceutical, Inc., and Golden Sunrise Pharmaceutical, Inc. advertised dietary supplements that claimed these products were “uniquely qualified to treat and modify the course of the virus epidemic,” which was not the case, claiming the FDA had approved the products for use, which was also not the case.

Do your homework on cures. It could save your life.

Nursing homes and stimulus payments. As stimulus payments have largely stopped, this scam is not currently relevant to any significant degree, but you should still be aware it is part of pandemic-related fraud and could pop up in other situations. In some cases, people living in nursing homes or assisted living facilities were forced to sign over their stimulus payments if they were on Medicaid. Homes were claiming that because the person is on Medicaid, the facility gets to keep the payment. Wrong! Those economic impact payments are a tax credit under the CARES Act. Tax law says that tax credits don’t count as “resources” for federal benefits programs such as Medicaid.

This part IS still relevant. If a loved one is at a facility that took it already, contact your state attorney general and ask them to help you get it back.

Phishing, fake emails, robocalls, and texts. Scams that were popular before the pandemic are still popular among thieves. Scammers will use fraudulent emails and text to induce you into sharing valuable personal information. Be highly suspicious of any requests to share account numbers, Social Security numbers, passwords, and other information that makes you vulnerable to losses.

As economic conditions have worsened for many people, scammers are now pitching all sorts of remedies ranging from work at home schemes to low-priced health insurance.

Phishing emails may induce you to click on a link, often appearing to be from a legitimate organization (state or federal government agencies, The World Health Organization, etc.). A scammer can install ransomware or programs that lock you out of your computer or steal your personal information when you click on a link.

Scammers have also used personal computer access to install and infect computers with malware. Recently, malicious websites used the real Johns Hopkins University interactive dashboard of coronavirus infections and deaths to spread password-stealing malware.

Another recently revealed phishing scam was uncovered, showing scammers impersonating the World Health Organization. The scammers offered a fake e-book to victims, and when they attempted to access the book, malicious code for a downloader called GuLoader was instead installed on their computers.

Student loan forgiveness. There have been a lot of discussions about helping students with relief from burdensome student loans during the crisis. At this point, the only thing that has happened is that student loan payments have been suspended as part of the stimulus package passed by Congress. Payments are slated to resume in early 2022.

Scammers will prey upon your fears about paying your student loans and may reach out with an offer that promises you student loan forgiveness if you pay an upfront fee.

The federal government can forgive or restructure student loans through public service loan forgiveness or income-driven repayment. But private companies cannot cancel student loan debt, so don’t fall for it.

How to Protect Yourself

New scams pop up every day, making it impossible to track every instance. So, you need to heed general precautions to continue to protect yourself from Covid-19 scams. Here are some things you can do:

• Never give out personal information over the phone. If a charity contacts you to donate, check out the name of the charity before you even consider giving. Use a credit card instead of cash or a check to provide yourself with more protection.
• Hang up on robocalls immediately. No exceptions, and don’t press any numbers for more information. That tells the robocaller you might be interested and will likely result in more robocalls.
• Never pay in advance to get money or help from the government. Also, the government will never call and ask you for personal information (i.e., Social Security number, birthday, credit card numbers, etc.).
• No private student loan company can help you with loan forgiveness. If you’re approached about this, you are being scammed.
• If you’re buying in-demand products, know those from whom you are buying. Online sellers may claim they have cleaning, household items, medical and health supplies available when they do not.
• The same rule applies to charities. Do your homework and verify that you are donating to a legitimate charity. Or donate to a well-known and established charity like the Red Cross. You can also keep your donations local and give them to a food bank, shelter, or other community-based nonprofit to keep your assistance close to home.

The Federal Trade Commission is in charge of consumer fraud in the United States. You can subscribe to alerts for consumers and businesses to keep up with the latest scams. You can also like the FTC Facebook page.

What to do If You’ve Been Scammed

If you feel you have been the victim of a coronavirus scam, you can contact your state attorney general.

You should also report any scams or suspicious claims to the FTC at ftc.gov/complaint.

Also, file a criminal complaint with your local police department. It may not have the resources to help you directly, but it can provide valuable tracking information to state and federal law enforcement agencies who can more accurately direct resources to fight coronavirus scams.

Contact your banks and credit card companies to be on the lookout for fraudulent activities in your accounts. Also, change your password information and try to use different combinations for different sites. Closely monitor your credit as soon as you can if a scammer has gained access and used your information before you have had a chance to lock it down.

Consider contacting national credit bureaus (Experian, Equifax, and TransUnion) as part of a strategy to maintain and access your credit reports. You can also freeze your credit, which prohibits anyone from viewing your credit report unless you lift the freeze using a PIN that has been provided to you.

If you don’t want to freeze your credit, consider requesting a fraud alert instead. You only need to request an initial fraud alert with one of the three bureaus, and that agency will pass along your request to the other two. An initial fraud alert stays on your credit reports for 90 days. You can renew it as many times as you want. You can also place an extended alert that will last for seven years.

Corona virus image provided by CDC/ Alissa Eckert, MS; Dan Higgins, MAMS

 

When you’re a small business owner, as if you don’t already have enough to worry about, crooks have become a lot more sophisticated in trying to scam you out of your hard-earned money.

Many scams fall into the same overall types of scams. According to a recent Better Business Bureau survey, the six most common of these that small businesses need to protect against are:

• Imposters posing as a bank or credit card company and pretending to verify account information but with the actual intent of gaining access to a business’s accounts.
• Scammers pretending to represent various government agencies who threaten to impose fines or take similar enforcement actions if a business does not pay fees or taxes.
• Fraudsters who offer businesses increased visibility through advertising, advanced search engine techniques, and business directories.
• Sending a business an invoice for services never rendered or trying to induce a business to pay for products it never ordered or received.
• Paying for goods and services with fraudulent checks from non-existent accounts.
• Scams involving tech support or ransomware demands.

Spotting a scammer

Although every scam and every scammer are unique, most all share the same general characteristics. Here are some red flags to look for:

• They pretend to be someone you trust, either in the guise of a company, person, or government agency.
• They create a sense of urgency by setting a short deadline to respond.
• They use fear and intimidation, pressuring you to send a payment before you can check out their claims.
• They use wire transfers, gift cards, or other untraceable payment methods.

Business Case Studies

It’s impossible to list even a small fraction of all the scams targeting businesses today. However, the following case studies will give you an idea of some of the tactics scammers use.

Business email compromise (BEC)

This is sometimes referred to as CEO fraud. Losses are estimated at more than $5 billion globally, and that figure continues to rise as scammers refine their already sophisticated tactics.

BEC involves a crook gaining access to a business owner’s corporate email account. The scammer then spoofs the owner’s identity to defraud the company. Favorite targets include companies that often conduct business with overseas suppliers of who routinely transfer money through wire transfers.

This form of transferring money is especially vulnerable because legitimate wire transfer requests are often urgent, and in most cases, the resulting wire transfer will be processed immediately. Companies that work using this model often don’t take the time to sign forms or wait for callbacks to confirm the transfers, creating further exposure.

It’s estimated that about 40% of all business victims of BEC are small or medium-sized businesses.

BEC remains an ongoing problem despite the requirements that banks are required to implement enhanced security measures to verify transfers.

An example of how BEC can happen

In 2018, an authorized wire transfer originator for a non-profit business client of First Business Bank made a wire request transfer of $28,626 to a person at Wells Fargo Bank. First Business Bank verified the documentation and initiated an authentication process to verify the legitimacy of the request. Later that day, the non-profit’s Executive Director contacted the bank to report the wire request was fraudulent and that it should not have been approved.

The Executive Director had approved the request, which he thought was from a colleague who was also an authorized account representative. But upon closer inspection of the request, it was determined the request was a fraud.

WannaCry ransomware attack

In 2017, the WannaCry ransomware cryptoworm hacked into computers running the Microsoft Windows operating system. It encrypted data and demanded Bitcoin ransom payments. Although the attack stopped when Microsoft issued an emergency patch in just a few days, it was estimated to have infected more than 200,000 computers in 150 countries.

Losses ranged from hundreds of millions of dollars into the billions of dollars. In late 2017, the United States, U.K., and Australia formally accused North Korea of being behind the attack.

Petya cyber-attack

Also, in 2017, The Petya ransomware attack took place. The software took over computers and demanded $300 in bitcoin. It also exploited Microsoft operating systems, specifically something known as the EternalBlue vulnerability. It appears to have started through a software update mechanism for companies working with the Ukrainian government.

It affected banks, power utilities, and even the radiation monitoring system at Chernobyl had to be taken offline. Ultimately, Petya caused serious disruptions at companies throughout the United States and Europe.

The IRS W-2 phishing scam

In recent years, phishing scammers have sent out fake emails that look like they are being sent from various businesses and corporations. These emails request personal information of employees under the guise of obtaining important tax and compliance information.

This scam requires that bad guys know who has access to W-2s in your business who has the authority to ask for this information.

In one year alone, this scam impacted more than 120,000 employees at 100 different businesses in the United States.

The phony Amazon attack

Under this scam, hackers send out what appears to be legitimate deals to businesses and consumers who are Amazon customers. When a recipient attempts to purchase the deal, the transaction is not completed. Instead, customers are redirected to a page to input data that can be stolen and used by hackers.

A variation of this is a scammer who will send out an email appearing to be from FedEx or USPS with the subject line “Shipping Information.” When a recipient opens a link in the email, they are directed to a page that downloads a virus on to the person’s computer, which can then be held for ransom.

The non-profit filed an incident report with the Internet Crime Complaint Center, worked with law enforcement, and contacted the beneficiary bank, among other actions.

Chipotle data breach

The vast majority of 2,000+ Chipotle employees were hit by a data breach that occurred when Eastern European hackers sent emails to staff that turned out to contain malware.

For three weeks, this malware allowed the hackers to gain access to each store’s POS system and access customers’ “track data,” which includes credit or debit card numbers, expiration dates, and verification codes that are stored on a card’s magnetic strip. The breach affected restaurants in 47 states.

Shell companies are often inside jobs

A shell company exists only on paper. It provides no goods or services. It is also one of the easiest ways for an employee to execute a fake invoicing scam.

The employee will set up a company in a friend’s or relative’s name, and then invoice their own company as a means of collecting payments. Most of the time, the employee will have some level of knowledge on how invoices are processed, or they may even be the employee doing the actual processing. That means they know what dollar amounts to stay under to avoid detection, making it easy to scam an employer for years.

Lawyers are not immune

Believe it or not, attorneys are often victims of business scammers. It happens in a couple of different ways.

A lawyer may be contacted by a “client” claiming a business owes them money and that if the lawyer collects this money, they’ll earn a fee. The lawyer reaches out to the “debtor” who sends a fake check to the law firm to pay the debt. The firm deposits the money, and the client directs the lawyer to deduct their fee and wire the balance to an account, which turns out to be untraceable or in another country.

Similarly, attorneys in divorce settlements may receive a supposed settlement, which is actually a fake check. They deposit the money, distribute the funds, and then find out from the bank that the check is a fake, leaving them on the hook if they’ve already sent out money to a client.

The overpayment scam

In this type of scam, a “vendor” or customer may contact a business, purchase a product or service, and then send a payment in for more than the amount they should have paid. Fraudsters then ask the business to wire them a refund using a wire transfer or other similar means.

This type of fraud is also prevalent on Craigslist for people who are selling big-ticket items like cars or boats.

A few more “inside job” hits…

From CFO Daily, here are some brief real-life examples of how employees scammed businesses:

• An IKEA employee mastered the company’s phone and mail order system and issued himself $400,000 in refunds for purchases made by customers in a single year.
• A Calgary Transit employee swiped almost $375,000 by pocketing about $200 a day in coins while he was a fare counter.
• A U.S. postal worker in Washington, D.C. took the agency for $40,000 by claiming he was stuck in jury duty for a case that lasted 144 days.
• A former embezzler turned theft prevention specialist put his talents to use by scamming Block Communications out of more than $1.1 million for a firm he was supposedly trying to protect.
• The FBI caught a former Quest Diagnostics manager who stole more than $1.2 million through false expenses using fake companies and invoices. His reward was five years in prison.

By better educating yourself as a business owner, you can harden your business against scammers, hackers, and fraudsters. Your business’s very survival may depend on how well you proactively fend off attacks from criminals looking to take advantage of you.

Revised – November 19, 2021

According to a survey conducted by the Better Business Bureau (BBB) at the start of the pandemic, 67% of small business owners who responded said they faced more risk from being scammed than just three years ago.

And it doesn’t appear things have gotten better during the past 18 months.

A recent survey by the Association of Certified Fraud Examiners (ACFE) reveals that 77% of respondents have seen an uptick in fraud since the outbreak began. This trend is expected to continue with increases in every business category. The largest upswings have been in insurance, loans, bank, and financial fraud.

Small businesses are particularly vulnerable if they have an e-commerce presence. It is estimated that about two-thirds of all consumers have increased online shopping due to the pandemic. Pandemic related payment fraud has increased dramatically, as more and more criminals use unauthorized credit cards, gift cards, and digital wallets to make bogus purchases. That means businesses are stuck with the bill.

As scammers have become more sophisticated, and there are more areas of vulnerability than ever before, small business owners must do more to be on the lookout for costly and preventable losses.

Since the threats can come from just about anywhere, the first question becomes where to focus your efforts.

Where you’re most vulnerable

Much like the Covid-19 virus, scammers have also produced variants on old scams.

What are those most common scams? In its survey results, the BBB identified the six most common scams that small businesses face:

• Bank and credit card company imposters. These scammers pretend to verify account information, but in reality, they’re trying to get access to a business’s accounts.
• Government agency imposters. They threaten legal action if a small business does not pay fees or taxes supposedly due to the government.
• Fake invoice or supplier billing cons. Scammers may try to submit invoices for services or goods that the small business never ordered or never received.
• Fake checks for purchases. Scammers attempt to defraud a business with nonexistent funds in exchange for goods or services they received.
• Fake advertising or business listing scams. These are offered to businesses as a way to improve their visibility and online presence.
• Tech support scams. A scammer will offer support, protection, or other services, take your money, and never perform the services.

The BBB and the Federal Trade Commission (FTC) both advocate that one of the best ways a business can protect itself is by staying informed about the different tactics scammers use. It’s an ongoing process since the game keeps changing. As part of trying to keep your business afloat, you’ve got to become a post-pandemic student and master at the same time.

Oversight agencies such as the FTC, the U.S. Postal Service, and others have stepped up their efforts to protect businesses.

Unfortunately, sometimes an ounce of prevention comes at the expense of being a pound of cure. Getting scammed brings focus to your already full plate as a small business owner, and many owners only implement measures after they become a victim.

If this is you, don’t be too hard on yourself. Your adversaries are cunning, and there are a lot of them.

What should you do if you’re a victim?

Chances are, you’re going to be angry if you fall victim to a scammer. That’s a natural response. Punch a wall if you need to, but then take more positive steps to see what you can do to make the best of a bad situation.

Take a deep breath, gather as much documentation and evidence as you can, and then move quickly to report the scam. Believe it or not, many businesses do not, either because they feel the effort is futile, that they’ll never recover their losses, or they simply don’t know how or where to report it.

Reporting the scam gives you a fighting chance to catch the scammer and possibly be made whole and allows law enforcement agencies to track different types of scammer activities. This information can then be shared as part of a public outreach effort. It also shows trends that allow these agencies to shift and devote resources to areas where they can do the most good.

Try to match the law enforcement agency to the type of scam. If you’ve been a victim of a crime that violates federal law, then federal law enforcement agencies can be tapped to try and deal with your case.

Federal Trade Commission

For example, if you’re the victim of any type of fraud, one of your first contacts should be with the Federal Trade Commission. This agency protects consumers and businesses. You can file a complaint, report identity theft, get consumer alerts, and tap into a wealth of free information for all types of scams and white-collar crimes. The FTC won’t be able to resolve your individual case, but if you are one of many who are victimized, they can use this information to go after perpetrators.

If you spot a scam or think your business has been victimized, report it to FTC.gov/Complaint.

You can also subscribe to the FTC’s Business Blog at FTC.gov/Subscribe or sign up for scam alerts at FTC.gov/scams.

The FTC also offers tips on protecting your business from scams with a dedicated Protecting Small Businesses web page. As a small business owner, you’ll find information on cybersecurity, protecting your customers’ personal information, what to do if there’s a data breach in your business and more.

Local Law Enforcement

If you’ve been scammed on a more local level, you should file a report with your police department. They may or not be able to assist you in bringing the scammers to justice, but again, they will also use the information to spot trends and deploy resources so that others aren’t scammed as well. If the scam is widespread enough, sometimes local law enforcement will also reach out to local news media to help spread the word.

The Federal Bureau of Investigation (FBI)

The FBI oversees the Federal Bureau of Investigation Internet Crime Complaint Center (FBI IC3). This entity investigates possible internet-based crimes. They work with appropriate federal, state, and local law enforcement agencies to take action against criminal activities.

State Attorney General’s Office

If a scammer has victimized you, contact your State Attorney General’s Office or the Secretary of State. Also, find out what state a scammer may be in and report the scammer to the Attorney General’s office in that state as well.

You can find State Attorney General contact information at NAAG.org.

The U.S. Postal Service

If you were scammed using the U.S. Postal Service in any way, you can file a complaint with your local postmaster or file a complaint online with the USP Inspection Service.

Your Bank or Credit Card Company

If you were victimized using a credit or debit card, there may be protection against losses. Many banks and credit card companies will refund your money if they determine you were a fraud victim. Every company is different, but it’s worth checking into if your business has been defrauded.

The National Consumers League (NCL)

This nonprofit advocacy group protects consumers in several ways. It operates Fraud.org, where you can file a complaint about fraud. While it will not help you recover losses, it can expedite your complaint to the proper law enforcement agencies.

Better Business Bureau

You can also file a complaint with the Better Business Bureau. If you don’t know details about the scammer, this may be a less effective strategy since you want to try and file the complaint where the scammer is located if they are a known business entity. At the very least, people who search the BBB for information can see the complaint, which may help other businesses avoid being scammed.

Steps to take going forward

Getting lost money from a scam may be difficult. The best you may be able to do is to harden yourself against being a victim again. Many businesses used their down time during the pandemic to do this. If you’re still experiencing a lull, this might be a good place for you to focus your efforts in the short term.

Examine your current levels of security. Can you do more to enhance your protection? Another critical step to take is to educate yourself and your employees about how scammers work, what red flags to watch for, and what to do if you spot suspicious activity.

If your company’s financial information was accessed or stolen as part of a scam, change as much information as you need to for maximum security. You may only need to change passwords, or you may have to close accounts and reopen new ones.

If your phone or computer was hacked, ensure the device is wiped clean to ensure the breach no longer exists.

Develop a cybersecurity plan. Part of this should include a stringent password policy for all employees and their devices. Among other things, use two-factor or multi-factor authentication when possible.

Take a look at your data storage needs and processes. Often, scammers can nail a business through the back door this way. When you update with the latest security patches on your phones and computers, also make sure your data storage protected as well. Uncompromised data storage is critical, especially in cases where businesses are victims of ransomware schemes.

And finally, provide security training for your employees. Teach them to spot scams in advance. Scammers know the weakest link in a business may be the human element. Don’t let that be the case in your business.