On the contrary, the most lucrative COVID scams aren’t necessarily any more sophisticated than a shell game on a street corner. But the criminals behind them are persistent and insidious, and they’ve already cost Americans nearly $600 million.1
Here’s a list of the most dangerous COVID scams circulating today, along with some best practices you can add to your digital hygiene quiver to stop pandemic grifters from taking you for a ride.
You get a text, email, or phone call from a “government official” asking for your personal information and/or a payment so they can issue you a “vaccine certificate” or passport.
Scammers could also contact you offering a reward if you complete a short survey on your vaccine experience. The MO is the same. They’ll ask you for private details, including bank or credit card info (for non-existent shipping fees).
Don’t respond, click, or give any information over the phone to anyone that says they’re from the federal government — or from Pfizer, Moderna, or AstraZeneca. No one from the government (or a pharmaceutical company) will ever call you to chat about COVID vaccines.
If the scam comes in the form of an email, flag it as a phishing attempt inside your email client. If you get an SMS or phone call, block the number. Then head over to reportfraud.ftc.gov to report the fraud.
You get a phone call where there is no live speaker, just a recorded message offering you a free home COVID-19 testing kit, special pandemic health insurance, financial relief, or a fake vaccination appointment. Robo grifters have even targeted high-risk groups like people with diabetes, plying them with promises of free diabetes monitoring equipment.
Try to answer phone calls from your known contacts only. Obviously, this isn’t always possible. If a robocall slips through, hang up. Don’t interact with the bot by pressing a number.
Next, report the call to the FTC at DoNotCall.gov. Have the following info handy: your number, the caller’s number (as it appears on your phone or caller ID), and any number the criminals told you to call (if you have it), along with the date and time of the call.
Digital Safety Tip: Consider downloading a call-blocking app for your mobile phone. Like the best malware-blocking virtual private networks (VPNs), call blockers pull the latest data from victim reports and FTC scam lists, and then flag illegal callers and likely scammers, so you won’t have to talk to another COVID spambot again.
You get an SMS or phone call from a criminal posing as a COVID-19 contact tracer, claiming you’ve been in close contact with an infected person and need to take immediate action. Contact tracing scammers will ask you to visit a (malware-infested) website and give sensitive details like your Social Security number and insurance information. They may also request a fee for their “services” outright, and ask for your bank or credit card info to process the payment.
Medical grifters already have the odds stacked in their favor. We’re all worried about getting sick. Our fear makes their jobs easier. Even worse (for us), there are states that actually do use SMS for contact tracing.
Never click on a link in an SMS if you don’t know who’s sending it. Real government contact tracers won’t ask you to click on a link. They’ll contact you by phone (after an initial message), and they won’t need any information from you. They’ll already have it.
And remember, double-checking the actual phone number of your state’s contact tracing program is a Google search away. If you suspect you’ve gotten a bum SMS, tell the FTC about it immediately.
You get a package delivery notice via SMS or email with a “tracking link” embedded inside. You might also get a voicemail asking you to call a number or a physical notice in your mailbox or at your door. Some fraudsters will ask you to pay a “customs fee” or tax to finalize delivery.
Be careful. These notifications may look exactly like the ones you get from the post office or from shipping companies like UPS, making them very easy to sneak past your defenses.
Don’t click on any links you’re not 100 percent sure about. You’ll either end up on a website asking for personal details or you’ll unwittingly open up your device to a nasty code-borne disease. Instead, if you’re in any doubt, go directly to the delivery service’s website and use their tracking system.
You (or an older loved one) get a text, email, or letter warning that the Social Security Administration is suspending or cutting benefits because of the pandemic.
You might also get a similar fake warning from the “IRS” about a stimulus check, an overdue payment, or a problem with your tax forms. Some older folks have even gotten robocalls touting pandemic investment hoaxes, fake pension fund shelters, and sham stocks in made-up vaccine cures.
And don’t forget the tried-and-true “grandparent scam,” where a criminal weasels their way into the good graces of an older family member — either by posing as a relative by phone or email, or through personal contact — and wipes out their bank accounts.
The list goes on.
These fraudsters may be the worst of a thoroughly rotten lot. They use basically every trick in the book, and there’s no roach motel big enough to fit them all.
The best defense against these lowlifes is to remember the four “Ns”:
You make a payment (for goods or services) or donate to a charity using a P2P mobile payment app like Venmo or Zelle. But you never actually buy or donate anything. Your money just disappears inside a grifter’s wallet.
Use Venmo to split a check with someone you know and trust, not to pay for a used refrigerator on Craigslist. It’s easy enough to type in the wrong name and pay some random Venmo user by accident. You don’t want to risk buying a new Xbox One for a stay-at-home thief.
Here’s a better idea. When you’re paying in-person, use your banking or credit card app. Most of them should have a contactless solution. That way you’re actually protected if the transaction goes sideways.
Digital Safety Tip: If you have an app that has two factor authentication (2FA) built in, always take advantage of it. With 2FA enabled, every time you log in, you’ll need to enter a one time password (OTP) that gets sent by SMS or email, or via an authentication app – the safest of the three options. This will make it almost impossible for a hacker to break into your accounts.
You get an email or phone call from the “IRS.” The thief-cum-government tax man tells you you need to pay to get your relief check, an oxymoron if there ever was one.
Stimulus hounds might also ask you for sensitive details you should never share with anyone, like your SSN, bank account info, or (if you’re entitled to one) your government benefits debit card account number.
If you hand over your details, the EIP scammer will file for a stimulus payment check in your name. They can technically use your info to do anything: open up a bank account, apply for a driver’s license, or take out a loan in your name. When it gets to that point, we’re actually talking about hardcore identity theft.
First, remember that the IRS won’t ever call you, text, or email you. They will definitely never friend you on Facebook, as EIP fraudsters have been known to do. So don’t respond to anyone claiming to be from the IRS. Ever. Any transactions you make with the IRS regarding your EIP payments should be via their official website.
Secondly the IRS will never ask for your details because they already know who you are. And thirdly, you don’t have to pay to get a stimulus check.
If you keep these three caveats in mind, you should be able to spot a stimulus check scammer from a country mile away.
You get an email or SMS from your “state workforce agency” (SWA) urging you to click on a link to verify personal information or claim your benefits. If you click on the link, you end up on a sham SWA website that scoops up any info you leave. A cyber scammer then fills out a Form 1099-G (in your name), kicks back, and waits for their unemployment check in the mail.
Fake messages can look a lot like the real McCoy, but they never are. Here’s why. State agencies don’t have mobile phones, and they never ask for personal info (because they already have it). So if you get an SMS from the SWA, dump it. Then visit the State Directory for Reporting Unemployment Identity Theft and report it.
If you’ve ever tuned into “The Flash” on Netflix, you’d know that in the Flash multiverse, an infinite number of Earths exist at the same time. On one Earth, you may be a bank robber, on another a detective.
On our earth — Google Earth — a new breed of bottom-feeding scammer is tapping into our biggest fears and insecurities to cheat us in the worst ways imaginable.
And, really, nothing is off limits for them.
But that doesn’t make them unstoppable. In fact, the COVID grifter’s bag of low-tech scams is pretty easy to avoid.
The most basic rule of thumb is to remember: The government won’t reach out to you, certainly not via SMS or email. So if you get a text message from your pal John Green at the IRS, don’t respond.
If you do make the mistake of clicking on a link in John Green’s SMS, don’t give John any info. (And also clean out your device, because you’ve probably been infected by John’s malware. Better yet, use a malware blocker so you’ll get a warning before you even have the chance to click on a bad link!)
The Federal Trade Commision takes COVID scams very seriously. After all, they’ve cost us over a half billion dollars and counting. If you suspect a COVID grifter has made contact with you, report it immediately.
For real peace of mind, consider investing in a reputable ID monitoring service. There are little grifts and gigantic scams out there. You can’t keep track of them all. Companies that specialize in identity theft protection are watching 24/7, and they see it all.
So whether it’s your mobile carrier or the local Pizza Hut that’s been compromised, if you ever get entwined in fraud that can potentially cost you your life savings, with first-rate ID theft protection, you’ve got a way out.
Tableau Public. (2021). FTC COVID-19 and Stimulus Reports. COVID-19 and Stimulus Reports by Federal Trade Commission.