DC Metro: Beware of Online (and Offline) COVID Scams

The COVID-19 pandemic, though a terrible thing, has brought out the best in many people in the DC Metro area. Washington, DC volunteers are providing hot meals for hungry children in Southeast Washington. Mutual aid lists divided by DC neighborhoods each contain the names of dozens of people and how they can help.

Unfortunately, while some people are doing everything they can to help, there are others eager to take advantage of people during these uncertain times. As of March 30 2020, the FBI’s Internet Crime Complaint Center (IC3) has received and reviewed more than 1,200 complaints related to COVID-19 scams (source).

Criminals are using fake emails or texts. Their goal: To get you to share your personal information such as:

  • Account numbers
  • Social security numbers
  • Login IDs and Passwords

Here are a few examples of recent COVID-19 scams.

Mandatory Online COVID-19 Test

The “US Department of Health and Human Services (HHS) ask recippients to click on a link to take a “mandatory online COVID-19 test.” The link directs recipients to fake website designed to collect personal, financial and medical information.

US Small Business Association Application

The Small Business Association (SBA) provides recipients with an application number which they could use to apply for a “small business disaster assistance grant.” To do so, they need to sign an attached business document authorizing a request for a tax return transcript and to upload it on SBA’s website. Their application process follows the same sequence that the SBA follows. Once uploaded, it downloads a sample of the Remcos remote access trojan virus.

Fake Pop-Up Testing Sites

Not all scams are online. Some criminals stoop so low as to create pop-up testing sites for COVID-19. The FBI is investigating fake test sites in Louisville, Kentucky and Birmingham, Alabama. There have been reports of additional fake testing in Arizona, Florida, Georgia, New York, and Washington state.

What You Can Do

Do not click on unknown links from your cell phone or computer. Go to trusted websites by typing in the URL yourself. The following are trusted websites:

You can protect your computer and electronic devices by:

  1. Keeping your software up to date and by using security software
  2. Your cell phone should be set to update software automatically
  3. Your accounts should have multi-factor authentication (i.e. your granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism)
  4. Your data should be regularly backed up, and the backup should be taken offline

Last but not least, the following tips are the FBI’s recommendations for good cyber hygiene and security measures:

  • Do not open attachments or click links within emails from senders you don’t recognize.
  • Do not provide your username, password, date of birth, social security number, financial data, or other personal information in response to an email or robocall.
  • Always verify the web address of legitimate websites and manually type them into your browser.
  • Check for misspellings or wrong domains within a link (for example, an address that should end in a “.gov” ends in .com” instead).”