In response to the COVID-19 outbreak, several U.S. government entities have released warnings about a rise in scams and fraudulent activity connected to the outbreak.  In a recent bulletin, the FBI warned of a rise in phishing emails, counterfeit treatments or equipment for COVID-19 preparedness, and fake emails from the Centers for Disease Control and Prevention (CDC) purporting to provide information about the outbreak.  The FTC, meanwhile, has released not only a general overview of the steps that it is taking to combat scams related to COVID-19, but has also provided a specific list of seven types of COVID-19 scams that it has observed targeting businesses.  More information about these scams, and guidance from the FBI and FTC on how to protect against and respond to some of the most common risks, is below.

Recent Trends in Cybersecurity Scams and Threats

The FTC’s list of seven COVID-19 scams targeting businesses includes the following scams:

  • “Public health” scams, where attackers send messages from the CDC, World Health Organization (“WHO”), or other public health organizations seeking information such as Social Security numbers or tax identification numbers, or asking recipients to click on a link or download a document.
  • Government check scams, where attackers claim that the recipient can receive money from a government agency by making an up-front payment or providing personal information. (Note that the FTC previously provided separate guidance on identifying and combating such scams.)
  • Business email compromise (“BEC”) attacks, where the attacker spoofs an employee’s or organization’s email address and directs recipients to wire money, transfer funds, or provide personal information.  The FTC cautions that in the midst of COVID-19 adjustments to working patterns, including shifts to teleworking, emergency requests may not seem unusual, and employees may no longer have access to the same options to verify the authenticity of a message (such as walking down the hall to verify with the purported sender by discussing the message face-to-face).
  • IT scams, where the attacker pretends to be a member of the organization’s IT staff and requests a user’s password information or asks them to download software.  As with BEC attacks, the FTC warns that the recent shifts in work patterns could make employees particularly vulnerable to these scams.
  • Supply scams, where scammers set up websites that mimic the appearance of well-known retailers and take payments without providing any supplies in return.
  • Robocall scams, where fraudsters call to pitch fake COVID-19 test kits, sanitation supplies, or other related products for businesses and individuals.
  • Data scams, a category that the FTC uses to describe a broad variety of potential vulnerabilities associated with the shift to teleworking that may increase the risk of data compromise.

This rise in cyber threats comes in the wake of another record year for internet crimes generally.  A recently-released report by the FBI’s Internet Crime Complain Center (“IC3”) reported that IC3 received 467,361 complaints during 2019, associated with over $3.5 billion in losses.  Notably, the most prevalent scams reported via IC3 during 2019 included not only BEC attacks and “tech support fraud” (similar to the “IT scams” referenced by the FTC’s guidance), but also a continued high number of reported ransomware attacks.  Despite only 23,775 reported BEC attacks, these attacks accounted for over $1.7 billion, almost half of the total losses reported in 2019.  However, the IC3 report noted that the FBI’s Recovery Asset Team (“RAT”), established in 2018 to streamline communication with financial institutions and assist FBI field offices in recovering funds transferred by victims to domestic accounts under fraudulent pretenses (such as BEC attacks), recovered 79% of over $384 million in losses reported to the RAT over more than 1,300 incidents.

The FBI also noted that it had observed a particular increase in the number of BEC complaints related to the diversion of payroll funds, where an HR or payroll employee receives a fraudulent email purportedly from an employee requesting to update the employee’s direct deposit information.  However, the updated information routes to an account controlled by the attacker, often linked to a pre-paid payment card account.

Guidance on Protection from COVID-19 Scams

Both the FBI and FTC alerts also provide guidance on how companies can protect themselves against the risks posed by these scams and respond appropriately should one of them occur.  The guidance includes the following recommendations:

  • Sharing information on common COVID-19 scams with employees.
  • Educating employees to avoid clicking on links or downloading attachments from email messages, especially from a sender that the employee does not recognize.
  • Verifying the accuracy of email addresses (especially when checking email on a cell phone), and verifying requested payment changes with the intended recipient.
  • Instructing employees to refrain from providing sensitive personal information, such as username/password combinations, Social Security numbers, or financial information, in response to an email or phone call.
  • Providing a central point of contact where employees can verify the authenticity of messages that they receive, including BEC and IT scam messages that purport to be authentic communications from other employees.
  • Typing URLs instead of relying on hyperlinks, and checking for misspellings or incorrect domains in links (e.g., using “.com” instead of “.gov”).
  • Vetting unfamiliar suppliers or third parties with colleagues or other trusted sources.
  • Following recent guidance on secure teleworking issued by the FTC and NIST, which Covington has covered in a separate blog post.
  • Continuing to monitor government websites, including the FTC and IC3 websites, for updates on trends in cyber threats that may target specific populations.

Both the FTC and FBI guidance recommend reporting attacks and scams using the designated reporting mechanisms provided by the FTC and IC3.  If an organization has fallen victim to a BEC attack, the IC3 report also recommends that the organization contact the originating financial institution as soon as fraud is recognized to request a recall or reversal as well as a hold harmless letter or letter of indemnity.

Tags: COVID-19, COVID-19; Coronavirus, Federal Bureau of Investigations, Federal Trade Commission, FTC
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Read more about Micaela McMurroughEmail
Show more Show less
Photo of Ashden Fein Ashden Fein

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel…

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel in criminal, civil, and internal investigations involving cybersecurity, insider risk, and U.S. national security issues.

Ashden regularly counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Ashden also assists clients from across industries with leading internal investigations and responding to government inquiries related to U.S. national security and insider risks. He frequently represents government contractors in False Claims Act matters involving cybersecurity and national security. Additionally, he advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks. Ashden is a retired U.S. Army officer.

Read more about Ashden FeinEmail
Show more Show less
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less