Don’t Click! Coronavirus Text and Phone Scams Are Designed to Trick You
A text comes in on your phone. It’s from the IRS, and your economic relief check is ready, pending your acceptance. There’s a form to fill out. All you have to do is click the link.
If you don’t have time to read this whole column, please—for the love of sweatpants—just read this: Don’t. Click. The. Link.
Scams are on the rise. The Federal Trade Commission has already received more than 14,000 coronavirus-related complaints, reporting $10 million in total losses, since Jan. 1. On March 20, the Federal Bureau of Investigation issued a warning about a rise in fraud schemes and urged “vigilance” during the pandemic.
Circulating schemes involve stimulus checks, airline refunds, charities, fines for breaking social-distancing rules, “mandatory” Covid-19 preparedness tests, unproven treatments and sales of in-demand supplies like masks or thermometers. Experts say the scams are designed to get you to take immediate action, more and more through texts and calls.
“The stress people are under during the pandemic opens up whole new emotional avenues for attackers to prey on,” says Chris Rothe, co-founder of security-threat-response firm Red Canary.
Typically, older adults are targeted by scammers because they often have more wealth. But recent research by AARP shows that all age groups are vulnerable to phishing attempts. That’s because shelter-in-place rules are keeping more people at home, where they are more likely to pay attention to urgent messages.
“We’re a captive audience at home. I find myself picking up my phone more often. We’re all in this high-emotion state.…I think maybe it’s a family member or a neighbor that needs help,” says Amy Nofziger, director of AARP’s Fraud Watch Network.
The most susceptible group? Those without a support network. “Social distancing could make lonely people feel like responding to phishing emails, suspicious links, robo or telemarketing calls,” says Marian Liu, assistant professor at Purdue University’s Center on Aging.
You’re probably familiar with email phishing attempts that try to trick recipients into thinking the message came from a legitimate source. Email providers are effective at filtering out most of those attempts before they get to your inbox. While those types of messages are still something to be wary of, scammers are directing more efforts toward text-message (aka SMS) phishing, or “smishing.” The fraudulent texts often include a link to a legitimate-seeming website with fields to enter login credentials or other sensitive information. The links can also prompt malware to download.
Phone numbers have a fixed format that can be easily guessed, unlike email addresses, Mr. Rothe explained. Robo-dialers can throw out number combinations, and if you pick up the phone or respond to instructions to text “STOP” or “NO,” scammers can confirm the number is active.
“They could also be obtained from any of the hundreds of data breaches that contain phone numbers,” says Paul Bischoff, a privacy advocate with security website Comparitech.
So, how can you protect yourself? Here are some tips to avoid getting scammed.
• Scammers elicit fear and urgency, so take a breath before you take action. “They are trying to speed you up so you are more likely to make a mistake,” Mr. Rothe says. If you feel rushed, that’s a red flag.
Verify or contact the source through other means. AARP has a toll-free fraud network helpline (877-908-3360) open on weekdays that anyone, even nonmembers, can call to verify whether a text or call is legitimate.
And instead of clicking that link, be it purportedly from a company or government agency, go directly to the source. Airlines can be reached through their apps, websites or customer-service call centers, and most government agencies, such as the IRS, currently link to coronavirus-related resources on their home pages.
• Don’t click links or download attachments. If you’re suspicious, you can use a scam checker to verify links or files. It’s a good idea to cross-reference the web address across multiple link checkers. Kaspersky and Norton have tools that use reputation and antivirus databases to check the safety of a domain. Kaspersky’s site can also scan files.
• Divert texts from unknown senders. In iOS, go to Settings, then Messages to turn on Filter Unknown Senders, which sends texts from people who aren’t in your contacts to a separate tab. You can also block people by tapping on their phone number and scrolling down to Block This Caller. In Android, open the Messages app and expand Settings. Select your SIM card and scroll to tap Spam Protection to enable the feature.
“If you don’t have a reason to accept texts from people you don’t know, turning this feature on is a great way to stop phishing texts from showing up on your phone,” Mr. Rothe advises.
• Be aware of number spoofing by robocallers. Spoofing is when a criminal manipulates what shows up on your caller ID to make it appear as a number from a government agency, a local caller or even your own number. So, even if the number calling you looks real, you should still be skeptical of whether it’s from an authentic source. Let it go to voice mail. You don’t want to prove you’re a live target, and if it’s someone you need to talk to, you can check the message.
Nomorobo is an app for iOS and Android that blocks annoying calls of all kinds, including robocalls and telemarketers. After a two-week trial, the service costs $2 a month. Nomorobo has published on its website helpful examples of what common coronavirus phone scams sound like.• Don’t send money or share personal information over the phone. If you’re giving to a charity, go directly to the charity’s website to donate. The government won’t send out text messages that ask for personal information or processing fees.
“Never pay a fee in return for a greater reward down the road. This is called an advanced-fee scam and it’s common in work-from-home scams,” says Mr. Bischoff.
Also: If anyone asks for payment in gift cards, they are probably scamming you.
• Use a password manager. Password managers only auto-fill credentials for the correct website (for example, irs.gov, and not irs.gov.fake), ensuring that you’re not duped by a well-crafted fake, says Laurence Pitt, global security strategy director at Juniper Networks. Plus, the manager will prevent a key logger from capturing your password.
• Finally, keep your tech’s software up-to-date. Those pesky pop-ups reminding you to update to the latest version of your phone or computer’s operating system are annoying—but they are critical in protecting you from security flaws, since those updates come with patches to those flaws.
Photo: Coronavirus scams are designed to lure you into immediate action when you’re stressed and vulnerable. MIKEL JASO; ISTOCK
