20 March 2020
3 COVID-19 (Coronavirus) SMS Scams To Look Out For
This is a time when we should be working to support each other in unity. It is unfortunate to see many scammers and hackers trying to capitalise on people’s panic in the face of this serious public health situation. The UN’s World Health Organisation has already issued warnings alerting people to an increase in cyber-criminals disguising themselves as the WHO. They use emails, websites, phone calls, text messages and even faxes.
Attackers are not only exploiting the general public’s rising anxiety about COVID-19 (Coronavirus). They are also leveraging conspiracy theory-based fears around cures, Sinophobia and ‘disinformation’ coming from reputable health and data sources.
For example, researchers at cyber-defence provider COFENSE have identified a serious phishing email campaign that appears to come from well-known The Centre For Disease Control (CDC). The fake email warns recipients that the disease has “officially become airborne and there have been confirmed cases of the disease in your location.” The email goes on to link to a page that purports to list alleged ‘safe havens’, but instead sends victims to a forged Microsoft-branded site in order to steal personal credentials.
What is Phishing? Phishing is the fraudulent attempt of sending communications (mainly email) pretending to be a reputable organisation or company in order to induce individuals to reveal personal information.
Even for the trained eye, Cofense has admitted this is a “good forgery” with spoofed display names and addresses making it appear as if it truly is from the CDC. Given the sophistication of these scams, we can only expect this to rise. For example, the now famous Coronavirus COVID-19 Global Cases by John Hopkins map has been spoofed in order to steal personal information. According to ESET cybersecurity researcher Jiri Kropac, there was a wave of 2,500 malware infections delivered via COVID-19-themed emails just this past Monday.
While many Coronavirus scams have been carried out via email, websites and social media; a fair few emerging scams have been SMS-related or are utilising Smishing (text message phishing) techniques. SMS communications have an important role to play allowing trustworthy businesses and organisations to relay important information to you during times of emergency. They can, however, also be used to take advantage of those who are vulnerable or susceptible to the sophistication of these attacks.
As a legitimate SMS solution provider of over 20 years, we believe it is important that you remain safe against these kinds of threats. It is believed they are only likely to increase in the months that follow.
What is Smishing? The same as phishing except cybercriminals will use SMS or text-message based communications in order to get individuals to reveal personal information.
Types of smishing messages or text scams to be wary of
1. Text messages claiming to come from known charities seeking donations or advertising giveaways.
Recently the Canadian Red Cross tweeted that they had received multiple complaints from the general public about an SMS campaign to give away free masks from their organisation. This scam was circulated not only by text but also spread via email and on social media.
Face masks are currently depleted in many countries around the world. With many still believing they can protect themselves from the virus by wearing a mask, scammers are heartlessly taking advantage of this need. In reality, face masks do not protect you from the virus. Hospitals and governments, meanwhile, are in desperate need of them to help protect doctors and nurses on the frontline.
Often SMS scam offers will come from unknown phone numbers spoofing real organisations. To the untrained eye, this scam SMS above may seem like a valid text message offer from the Red Cross despite its unrecognisable phone number. On closer examination, however, some things really are too good to be true.
What is Spoofing (or a Spoofing attack)? This is when a malicious party disguises themselves as another person, organisation or device (say your Dad’s phone) on a network. They then launch attacks to steal data, spread their malware or bypass access controls such as 2-factor-authentication.
Malicious actors may use tricks such as combosquatting or typosquatting. False domains or websites emulating real organisations are used in conjunction with similar, but mistyped URLs intending to spoof a real organisation as closely as possible. You can see this when you compare the false URL: RedCross-mask.ca against the real Canadian Red Cross’ URL: redcross.ca.
We suggest that if you come across an SMS scam like this, check the link first. You can find what the actual one should look like with a quick search in your internet browser. If you are still not sure, contact the charity to confirm that the offer or request is real and from them.
Especially in the case of unsolicited text messages, we recommend you do not click on the link and do not respond.
2. Text scams that claim to come from a government authority about COVID-19.
Recently the Australian Cyber Security Centre issued a public social media warning regarding a recent SMS scam claiming to come from ‘GOV’. This could easily be mistaken as a legitimate government authority in Australia. This may be due to the fact that most Australians sign into myGov, the authorised online portal for citizens to access government services (such as public healthcare, child support and public housing).
This particular COVID-19 smishing scam (phishing SMS) encouraged Australians to open a link to find out about new symptoms, as well as where to get tested. Instead, the link leads victims to download malware (malicious software) that will allegedly steal your financial and banking details, such as credit card information.
Unlike scam emails, it’s sometimes harder to tell if an SMS sender is legitimate or not. We recommend that you delete the message and report the scam to the relevant government authority it claimed to originate from.
We also encourage everyone to sign up to alerts from your local government authorities in your state or country, such as Scamwatch, in order to stay abreast of potential COVID-19 scams.
3. Any SMS messages capitalising on public fears and misinformation.
In the middle of March, numerous Kansas residents in the US reported receiving spam SMS messages stating that there had been new confirmed cases at different hospitals in their local area. As you can imagine, it stirred up even more panic and unrest among the locals.
The Kansas Department of Health and Environment immediately issued a public statement, “These are scams and are not true.” In fact, there were no new cases, with current cases at the time remaining at four.
It can be very easy for anyone to fall prey to scams that intend to fan the flames of rising panic and anxiety. We recommend that concerned citizens subscribe to real text alert systems in their local state or city so that they do not become potentially misled by scams like this in future.
Further reading on COVID-19
As a global SMS provider, MessageMedia Group wants to reassure businesses that we are being conscientious and proactive during this public health situation. We will do what we can on our end to stamp out Smishing scams and other kinds of bad behaviour that attempt to exploit or take advantage of you during this time. It is important to us that you know we are here to help.
- Read our article on How you can protect yourself against SMS scams right now
- With the rising number of COVID-19 SMS scams, we’re sure you don’t want recipients mistaking them for one. Check out our Best practices for making sure your SMS broadcasts don’t sound like spam.
- Make sure to visit our COVID-19 (Coronavirus) Resources Hub, which is filled with more useful support material.
- Check out our COVID-19 urgent communication messaging templates and preparation checklists for organisations wanting to reach out in times of emergency.
If you want to know how we’re dealing with the rapid spread of this outbreak internally, have a read of MessageMedia Group’s public statement from our CEO, Paul Perrett.
You may also like ...
16 June 2020
Businesses are adopting all kinds of automations to save time and drive efficiencies from sales right across to customer support and operations. See what kinds of SMS automation will work for you.Read more
15 June 2020
Father's Day is another ripe opportunity on the retail calendar to boost sales in 2020. Find the best way to leverage this $17B public holiday using SMS with our handy Father's Day tips and templates guide.Read more