Share article:

6 COVID-19 (Coronavirus) SMS scams to look out for

Image for 6 COVID-19 (Coronavirus) SMS scams to look out for
Tips, tricks & hacks 9 min read | Ashley Westwood wrote in blog on July 30, 2020

UPDATED: 30th July 2020

Many scammers and hackers are trying to capitalise on people’s panic in the face of the COVID pandemic. The UN’s World Health Organisation has already issued warnings alerting people to an increase in cyber-criminals disguising themselves as the WHO. They use emails, websites, phone calls, text messages and even faxes.

Attackers are not only exploiting the general public’s rising anxiety about COVID-19 (Coronavirus). They are also leveraging conspiracy theory-based fears around cures, Sinophobia and ‘disinformation’ coming from reputable health and data sources in order to phish vulnerable consumers.

What is Phishing? Phishing is the fraudulent attempt of sending communications (mainly email) pretending to be a reputable organisation or company in order to induce individuals to reveal personal information.

While many Coronavirus scams have been carried out via email, websites and social media; a fair few emerging scams have been SMS-related or are utilising Smishing (text message phishing) techniques. SMS communications have an important role to play allowing trustworthy businesses and organisations to relay important information to you during times of emergency. They can, however, also be used to take advantage of those who are vulnerable or susceptible to the sophistication of these attacks.

As a legitimate SMS solution provider of over 20 years, we believe it is important that you do everything you can to stay updated and knowledgable about these threats.

What is Smishing? The same as phishing except cybercriminals will use SMS or text-message based communications in order to get individuals to reveal personal information.

RELATED: Learn how to spot and protect yourself from COVID-19 scams.

Smishing / text message scam types

1. Alleged ‘charities’ seeking donations or advertising giveaways

Recently the Canadian Red Cross tweeted that they had received multiple complaints from the general public about an SMS campaign to give away free masks from their organisation. This scam was circulated not only by text but also spread via email and on social media.

Face masks are currently depleted in many countries around the world. With many still believing they can protect themselves from the virus by wearing a mask, scammers are heartlessly taking advantage of this need. In reality, face masks do not protect you from the virus. Hospitals and governments, meanwhile, are in desperate need of them to help protect doctors and nurses on the frontline.

Example of smishing scam during COVID-19 pandemic

Often SMS scam offers will come from unknown phone numbers spoofing real organisations. To the untrained eye, this scam SMS above may seem like a valid text message offer from the Red Cross despite its unrecognisable phone number. On closer examination, however, some things really are too good to be true.

What is Spoofing (or a Spoofing attack)? This is when a malicious party disguises themselves as another person, organisation or device (say your Dad’s phone) on a network. They then launch attacks to steal data, spread their malware or bypass access controls such as 2-factor-authentication.

Malicious actors may use tricks such as combosquatting or typosquatting. False domains or websites emulating real organisations are used in conjunction with similar, but mistyped URLs intending to spoof a real organisation as closely as possible. You can see this when you compare the false URL: RedCross-mask.ca against the real Canadian Red Cross’ URL: redcross.ca.

Test message scam warning from @redcrosscanada

We suggest that if you come across an SMS scam like this, check the link first. You can find what the actual one should look like with a quick search in your internet browser. If you are still not sure, contact the charity to confirm that the offer or request is real and from them.

Especially in the case of unsolicited text messages, we recommend you do not click on the link and do not respond.

2. Senders claiming to be government authorities

Recently the Australian Cyber Security Centre issued a public social media warning regarding a recent SMS scam claiming to come from ‘GOV’. This could easily be mistaken as a legitimate government authority in Australia. This may be due to the fact that most Australians sign into myGov, the authorised online portal for citizens to access government services (such as public healthcare, child support and public housing).

Example of a text message scam amid COVID-19 crisis

This particular COVID-19 smishing scam (phishing SMS) encouraged Australians to open a link to find out about new symptoms, as well as where to get tested. Instead, the link leads victims to download malware (malicious software) that will allegedly steal your financial and banking details, such as credit card information.

Unlike scam emails, it’s sometimes harder to tell if an SMS sender is legitimate or not. We recommend that you delete the message and report the scam to the relevant government authority it claimed to originate from.

We also encourage everyone to sign up to alerts from your local government authorities in your state or country, such as Scamwatch, in order to stay abreast of potential COVID-19 scams.

3. Messages inciting fear or capitalising on misinformation

In the middle of March, numerous Kansas residents in the US reported receiving spam SMS messages stating that there had been new confirmed cases at different hospitals in their local area. As you can imagine, it stirred up even more panic and unrest among the locals.

The Kansas Department of Health and Environment immediately issued a public statement, “These are scams and are not true.” In fact, there were no new cases, with current cases at the time remaining at four.

It can be very easy for anyone to fall prey to scams that intend to fan the flames of rising panic and anxiety. We recommend that concerned citizens subscribe to real text alert systems in their local state or city so that they do not become potentially misled by scams like this in future.

Example of subscribing to receive text alerts for Coronavirus updates

RELATED: Learn how to spot and protect yourself from COVID-19 scams.

4. Tax or rebate scams

As the middle of the year has rolled around, scammers are using tax-time as another opportunity to unlawfully relieve consumers of their hard-earned money. One example of this is a scheme purporting to come from the UK’s HMRC (Her Majesty’s Revenue and Customs office) promising a tax rebate to customers if they stay at home.

Others have shown up for UK residents promising rebates based on their income. Another is threatening them to pay tax owed or they will be arrested.

In other cases, scammers are sending fake messages mimicking real messages and Sender IDs from government tax agencies. In Australia, the Australian Tax Office (ATO) will often send text alerts when a new message arrives in your tax account inbox. This particular scam even dupes the myGov or ATO Sender ID, encouraging logins to a fake ATO login website via a link included in the text message.

CREDIT: ATO

To spot the difference, the ATO is telling citizens that official messages will never include a link to log in. Check out their Scam Alerts page for more information on this smishing scam and other related scams.

CREDIT: Scamwatch

5. Contact tracing scams

Scammers are also taking advantage of local residents with contact tracing scams. Contact tracing usually takes place over the phone, most commonly when a public health authority calls a citizen about:

  • positive diagnosis of COVID after a test
  • being in touch recently with someone who has been recently diagnosed
CREDIT: KLEW TV

Because many people have not been contacted, US scammers are preying on their ignorance by using text message communications to scare them into clicking on a false link to learn more about how to self-isolate or what to do. The link instead takes you to a malicious website where it phishes information from your phone, computer or logins.

To spot the difference, make sure:

  • Your best bet is to ignore all text messages to do with contact tracing
  • If you are unsure if it may be real or not, contact your local health authority via their official phone number or website to confirm how communications are sent
  • Do not click on any links, enter any personal information – best to delete right away

6. Financial or support payment scams

Many criminals are also looking to exploit and impersonate banking or financial SMS communications to gain sensitive information, or more critically, access to your bank accounts.

These scams generally offer economic support payments from trusted government agencies, claim to issue fines or request banking details.

CREDIT: Scamwatch

In this example from Australian bank Westpac sent to Aussie citizens, recipients are asked to ‘update’ their details via a link within the text message itself, or call a shortcode link.

CREDIT: Scamwatch

In other cases, scammers are playing on lost income, tough times and economic uncertainty to engage vulnerable people in their schemes. In the above example, recipients in need of cash to support themselves through the pandemic are more likely to mistake this as a real payment and click through to a malicious website.

To protect yourself from these schemes, consider what the text message is asking you to do? Financial fraudsters are usually after card numbers, bank account details, logins and personal information. It’s not likely they will get this from the text message alone so avoid clicking through to a website or suspicious looking links.

RELATED: Learn how to spot and protect yourself from COVID-19 scams.

Further reading on COVID-19

As a global SMS provider, MessageMedia Group wants to reassure businesses that we are being conscientious and proactive during this public health situation. We will do what we can on our end to stamp out Smishing scams and other kinds of bad behaviour that attempt to exploit or take advantage of you during this time. It is important to us that you know we are here to help.

If you want to know how we’re dealing with the rapid spread of this outbreak internally, have a read of MessageMedia Group’s public statement from our CEO, Paul Perrett.

Ready to roll?

Image for Ready to roll?