Unmasking Covid-19 Fraud Schemes: How Do You Protect Yourself or Your Business?

12 May 2020

Amid the Covid-19 outbreak and the lockdown imposed in many countries around the world, many companies and individuals are seeing significant changes to their workplaces and the way their businesses are conducted, with working from home or WFH becoming the new norm.
 
As more people stay indoors and work from laptops at home, we see a rise of predatory fraudsters who are taking advantage of the uncertainty of the situation coupled with social isolation to mount a range of fraud schemes. They aim to trick individuals or companies to divulge sensitive information or to purchase counterfeit or non-existent Covid-19 related products.
 
With just one careless step, any individual or business can become a victim of fraud, and will suffer further financial and/or reputational losses in what is already an economically challenging situation.    
 
Known and Potential Covid-19 Fraud Schemes in Malaysia
 
Over the past months, Malaysia has seen an escalation in fraud schemes associated with the Covid-19 pandemic.
 
According to CyberSecurity Malaysia’s statistics^[1], an estimated 2,370 incidents involving fraud, cyber harassment and intrusion were reported in March and April 2020, showing an increase of nearly 559 cases compared to the previous months.  
 
Some known and potential Covid-19 related scams in Malaysia include:

1. Fraudulent sales of Covid-19 Personal Protective Equipment (PPE)^[2]. Since the implementation of the Movement Control Order, the number of fraudulent sales of face masks cases has spiked. Most victims connected with the fraudulent dealers via social media platforms as well as chat apps like WhatsApp and WeChat. The syndicate would further provide tracking numbers to make their “business” appear more legitimate. However, after the victims make payment, the suspects cannot be contacted, and no delivery would be made.

2. Phishing. Phishing is a fraud method of sending emails or texts claiming to be from reputable or official sources for the purposes of getting the recipient to reveal personal or company’s sensitive information. The National Cyber Security Agency (‘NACSA’) has identified several malicious email subjects, attachments and URLs that have used the word "COVID-19" and "coronavirus" in their phishing lures. The full list of malicious domains and email subjects can be accessed here.

3. Unsolicited emails with link or attachment. These malicious emails could be sent by scammers, pretending to be from reputable sources, inviting the recipient to click on a link or open an attachment. Unbeknown to the recipient, the contents will infect their computer and compromise the computer network of the company.

4. Cyber intrusion and harassment. Intrusion includes hacking or data breach attempts, while cyber harassment includes cyber stalking or Zoom-bombing. A Malaysian Instagram influencer with over 200,000 followers recently became a victim of cyber hacking, where she received an email from hackers demanding for payment and threatening to delete her Instagram account if she refused to pay^[3].

5. Ransomware attacks^[4]. NACSA received reports concerning a malicious Android mobile app and a fraudulent website claiming to be from the Prime Minister’s Office (PMO) that tricked victims into submitting their online banking details. The mobile app was also able to read mobile phone SMS, which could be used to steal victim online banking details and TAC codes.

6. Scam calls^[5]: Phone-based attack in which scammers call a mobile phone pretending to be from a legitimate source, such as the police or any other enforcement agency including the Inland Revenue Board (IRB) or utilities provider like Telekom Malaysia, as a means to try to convince the target into divulging sensitive information or making payments for outstanding tax arrears or utility bills.

7. Fraudulent withdrawals of Employee Provident Funds (EPF)^[6]. When the Government announced that the EPF contributors could withdraw their EPF savings, scammers started making “offers” on social media platforms. They tricked the victims into surrendering their identification cards and bank account details on the pretext of assisting them to withdraw their EPF savings.

8. Investment scams^[7]. The Securities Commission Malaysia (‘SC’) has advised the public to be on alert for Covid-19 investment scams especially those involving unauthorised digital asset exchanges (DAX) in Malaysia. The SC had warned the investors against dealing with unlicensed or unauthorised entities or individuals. The SC has added 12 companies operating without SC’s licence or authorisation under its watch-list which is available here.

9. Covid-19 testing or immunisation scams^[8]. Outside of the cyber world, scammers have also been physically going to the ground, pretending to be from the Government, and trick the members of the public into allowing them to enter their homes to carry out immunisation of the premises. The National Security Council (NSC) has clarified that the Government has never appointed any agency to carry out house-to-house immunisation against Covid-19.

How Do You Protect Yourself or Your Business?
 
There are many ways to help protect yourself and/or your business from falling prey to Covid-19 related fraud schemes. Some practical and logical preventive measures include:

1. When buying from an online sales platform, make sure it is a legitimate seller and check the comments in the 'Reviews' section for any negative or positive comments.

2. Be careful of fake online shops or businesses which use unconventional payment methods such as funds transfer or cryptocurrency.

3. Only make online payments on secure websites. The signs of a secure payment website are^[10]:

• Padlock symbol – There should be a padlock symbol on the left of the address bar next to the website address. 

• Website address – This should start with https://. The ‘S’ stands for secure.

• Green address bar – On certain browsers and websites, the address bar will turn green.

• Valid certificate – If you click the padlock symbol (on the left of the address bar), you should see information about the site certificate. This will tell you who has registered the site. If you get a warning about a certificate, avoid the website.

4. Be wary of fraudulent emails and text claiming to be from reputable sources who have vital information regarding the virus. Do not click on links or open attachments from unverified senders. 

• Check the email address – Does it look real? Is it sent from a public domain email account such as yahoo.com or gmail.com? Fraudsters often use addresses that only have minor differences from those belonging to the entities they are impersonating. 

• Are there any spelling errors or grammatical mistakes in the email?

• Would you expect this sender to ask for personal information? It is unlikely that the government or other reputable sources would ask you to send personal and sensitive information via email.

5. Beware of freeware video conferencing apps. Some of these apps were developed for ease of use, rather than with security and privacy features enabled by default. Require passwords for all meetings, never share your meeting IDs and enable waiting rooms to prevent any unwanted ‘cyber-bombers’.

6. For businesses, the UK’s National Crime Agency recommends a simple 3-step process to help protect your business:

• Stop. If you receive a request to make an urgent payment, change supplier bank details or provide financial information, take a moment to stop and think. Fraudsters may try to pressure you into doing something quickly so this can be a warning sign.

• Challenge. If you are suspicious, verify all payments and supplier details directly with the company on a known phone number or in person first.

• Protect. If you think you have been scammed, contact your bank and lodge a police report immediately.

7. In tandem with the above, business leaders need to work with their IT teams to identify the likely attack vectors, and be particularly diligent when it comes to reminding the employees of information security issues and best practices.

8. Stay informed of investment scams and trends in relation to Covid-19. If you come across any suspicious websites or receive any unsolicited phone calls or e-mails offering investment advice and opportunities, especially those that offer high returns with little or no risks, you should direct any queries or complaints to SC at: 603-62048999 or e-mail: aduan@seccom.com.my.