Checklist 185: Real Looking Scams and Fake Looking Help

This week on the Checklist, we cover:

• Deeper analysis of Covid-19 scam domains
• Bank whose letters set off alarm bells
• Possible GDPR problem for Germany’s Apple Stores

Coronavirus scam sites: a taxonomy

For the past couple of months, we’ve covered stories related to Covid-19 scams and security threats. One thing we noted early on was a surge in domain name registration for new websites related to the pandemic. While many of these were completely legitimate, initial research indicated that an unusual number of these new domains were malicious. 

In an effort to better understand the threat landscape, CUJO AI, a cybersecurity firm in the US, performed a detailed analysis of Covid-19 scam domains. They found that these malicious sites fell into three main categories: sites selling fake products, sites engaging in financial fraud, and sites impersonating health organizations. 

The fake products and services related to the Covid-19 pandemic range from the truly unbelievable (a device that uses sound waves to fight the virus) to things that seem somewhat reasonable (UV sterilizer lamps and officially licensed cleaning agencies).

Financial fraud sites have been spotted all over the world, since many countries have instituted relief programs to help their citizens survive the economic chaos caused by Covid-19. From the US and Canada to the UK and Lithuania, scammers have set up fraudulent tax and revenue sites in an attempt to trick people into handing over sensitive personal data. In addition, it seems that charity scams are on the rise as well.

There have also been many scams involving sites that attempt to impersonate a well-known public health organization like the WHO or CDC. Many of these are simple phishing scams, while others take the more direct approach and infect website visitors with malware. To add insult to injury, some of these fake sites don’t even copy legitimate health information, and instead repeat incorrect advice and inaccurate news about Covid-19.

In terms of what you can do to avoid these scam sites, we have a few suggestions:

1. 1

   Get your news and information from trusted organizations only. Large news outlets like the New York Times, The Guardian, the major television networks and cable news channels, National Public Radio, and so forth are all good places to start. Whenever possible, get your news straight from the source — if you have a question about the payment information portal set up by the IRS, your best bet is just to go to the IRS website directly.

2. 2

   Avoid clickbait and sensationalism — especially on social media. If you have a relative or friend who’s always sending you those “what the government doesn’t want you to know” links, think twice before clicking. These types of headlines are disproportionately common in scams and phishing attacks (in addition to the fact that they usually contain wrong or misleading information anyway).

3. 3

   Be skeptical when shopping. The old adage applies: If something sounds too good to be true, it probably is. Sure, it would be great if sound waves, apple cider vinegar, or essential oils could magically cure Covid-19 — but that ain’t the case. In general, try to buy from well-established vendors to avoid fly-by-night operations and outright scams. Look for sellers with good reputations … and websites that were registered years ago, not during the height of the pandemic.

4. 4

   Always read product and service reviews before buying, but also take these with a grain of salt. Remember that large marketplace platforms like Amazon harbor vendors who write fake reviews for their own products (or simply bribe customers with gift cards to write 5-star reviews). If you’re investigating a service provider, the Better Business Bureau and other trusted review sites can be useful resources for doing your due diligence.

5. 5

   Navigate to health organization websites in your browser, not by clicking on links. Hackers are experts at setting up lookalike websites with domains that are very similar to the sites of large organizations such as the WHO. If you get an email with a link to the CDC, WHO, or Red Cross, don’t click on that link — go to Safari and find the official webpage yourself. If it’s a genuine email, the information you’re looking for will be there.

6. 6

   Run a good antivirus on your computer. We’re all online more than ever before, and the bad guys know this. That’s why there has been such a spike in malware-infested websites over the last couple of months. The best thing to do is avoid these websites altogether, but using a good anti-malware tool will give you added protection and peace of mind.

False positive (fraud edition)

Millions of Americans are out of work, and state governments are looking to get unemployment benefits to struggling families as quickly as possible. To this end, the governments of 17 states have partnered with banking giant U.S. Bank to disburse payments via prepaid debit cards. 

Everything seemed to be going fine until the bank’s automated identity theft prevention system triggered a series of paper form letters — letters that struck many of the recipients as suspicious. 

It seems that the bank was sending letters to people whose addresses had changed, and also to people whose addresses as entered on their unemployment applications were slightly different from their address of record. Examples of the latter included abbreviating the word “Street” as “St.”, or “Avenue” as “Ave”. 

U.S. Bank, it turns out, was genuinely trying to confirm the validity of the addresses and prevent identity theft. But alas, the letters were a little bit confusing and vague. They didn’t contain a lot of background explanation, for one thing. They just thanked the recipient for contacting “Cardholder Services” about their recent address change, confirmed their “request”, and asked them to call a number on the back of their “card” if the letter had been sent in error. Unfortunately, many people who got these letters hadn’t changed their addresses, while others hadn’t even received their debit cards yet. Of course it probably didn’t help that the somewhat generic name “U.S. Bank”, especially in combination with “Cardholder Services”, sound exactly like the type of fake names scammers would come up with. The end result was dozens of complaints submitted to a scam alert website, most of which expressed the same mixture of perplexity and suspicion. 

Despite it all, though, we find this to be an oddly uplifting story. While the bank might want to take a closer look at how they handle snail mail communications, at least their hearts were in the right place. And we suppose it’s an encouraging sign that so many people were able to spot the signs of a scam — even if it turned out to be a false alarm!

Apple, GDPR, and thermometers 

The world is starting to reopen after months of lockdown, and Apple is joining the process (albeit cautiously). The company is slowly opening some of its Apple Store locations in the US and around the world.

In the US, the Apple Stores that have started welcoming customers again seem serious about health and safety. The Apple website displays a banner message on the pages of open stores informing people that they may have to wait in line to enter due to social distancing precautions, and requesting that everyone wear some form of face covering while in the store (or ask for one if needed).

In Europe, some Apple Stores seem to be taking additional precautions, including temperature checks for all customers at the door. However, this plan has caught the attention of the local data protection authorities. Regulators in the German state of Hesse have launched a study to determine whether or not temperature checks could be construed as a violation of EU privacy regulations, which are some of the most stringent in the world. A spokesperson from the office of the Data Protection Commissioner in Hesse stressed that they were only trying to determine the legality, under EU law, of temperature checks, and that they had not yet come to any conclusions one way or the other. Apple has not commented on the matter publicly, though it’s safe to say that their legal teams are watching the story closely.

That brings us to the end of another Checklist. If you want to keep learning about security and privacy while waiting for the next episode, take some time to browse the Checklist archives, where you can listen to all of our past podcasts and/or read the full show notes that accompany them.