The Covid-19 pandemic has created prime conditions for scams. From phishing attacks to unemployment fraud, attackers have put new, more exploitative twists on their classic hustles. And now the Federal Trade Commission is warning that those fraudsters have designed scams around state contact-tracing initiatives.
You’ve probably heard a lot about contact-tracing mobile apps, but state health departments have also been ramping up manual programs staffed by trained volunteers. The idea is to “trace” people who have been in contact with someone who has tested positive for Covid-19, and advise all those who may have been exposed to quarantine strictly at home and monitor for possible symptoms. For all of this to work, contact tracers need to get in touch with lots of potentially impacted people, and many states are sending text alerts to call contact-tracing hotlines. But given that scammers are already adept at blasting out misleading SMS text messages, contact-tracing communications have become a compelling communication to co-opt for fraud.
“There’s no question, contact tracing plays a vital role in helping to stop the spread of Covid-19,” Colleen Tressler, an FTC consumer education specialist wrote in an alert on Tuesday. “But scammers, pretending to be contact tracers and taking advantage of how the process works, are also sending text messages. Theirs are spam text messages that ask you to click a link. Don’t take the bait.”
The malicious text messages can include links that either download malware onto your device with one click or take you to a phishing page that tricks you into inputting personal data or a password. One sample SMS scam provided by the FTC reads, “Someone who came in contact with you tested positive or has shown symptoms for Covid-19 & recommends you self-isolate/get tested.” It then prompts the target to learn more by tapping a URL. Such malicious texts could also direct you to call a fake hotline to continue the ruse and grab your information there.
“Because there hasn’t been a lot of communication yet about what an ‘official’ contact-tracing notice would look like, users have few ways to ascertain whether what they received is a scam,” says Jake Williams, a security consultant and founder of the firm Rendition Infosec. “This is only complicated by the fact that messages might differ across regions, health departments, etc.”
The flurry of new programs and services set up in response to the pandemic can certainly be hard to keep up with. The FTC points out, though, that there are still some basic touchstones you can use to spot a scam. For example, real health department contact tracers will never ask you for your Social Security number, credit card details, or other financial information. And they won’t ask you to send money anywhere or participate in any type of transaction.
“In our experience, the most successful scam pretexts do two things. First, they put a user into a state of confusion by introducing a new challenge. Second, they compel the user to act,” Williams says. “Covid-19 contact tracing is a great example of something that does both. The actions the victim must take, including clicking a link, downloading a document, or submitting information are plausible.”
No one would fault you for a trap during a pandemic, but there are precautions you can take to minimize your risk. Make sure you have two-factor authentication set up on as many of your online accounts as possible. That way even if a hacker gets one of your passwords they’ll still have a tough time actually getting in. Make sure you’re keeping up with software and operating system updates to plug as many holes as possible against malware. And look into filters and blocking services if you’re really being inundated with junk calls and texts.
The pandemic and corresponding world economic crisis are stressful enough, but as official contact-tracing programs ramp up, it’s unfortunately necessary to discern the real alerts from the scams.
More Great WIRED Stories