Got a fake profile? It’s not just you. Cyber scammers have been busy during the pandemic

Listen 4:21
Hacker

(ShutterStock)

A friend recently asked me if I’d started a food or perhaps a comedy blog — they couldn’t tell.

I hadn’t. Yet, there it was, a link to a website bearing my name that listed the Philly news outlets where my reporting has been published, and, inexplicably, featured blog entries on topics like Philadelphia Art Museum and pickled pork feet. Another search brought me to a fake LinkedIn profile using my name, directing people to this website.

While my gut said it was a troll, friends suggested a bot of sorts or some kind of cyber scheme.

Experts couldn’t rule out my troll hypothesis, but said chances are, I could be a cog in a cybercrime in the making — one of thousands of attacks that happen every day, especially during the COVID-19 pandemic.

“Every year, there are more attacks than the one before across almost every category,” said Pablo Molina, Drexel University’s chief information security officer.

According to Federal Trade Commission data, the Philadelphia metro area was already seeing a steady rise in fraud reports of all types since 2017. Then, last year, the FTC saw fraud reports jump by more than 50% from 2019, the highest increase in three years, with more than 67,000 reports.

Imposter scams were the most reported scheme with roughly 7,000 of them reported in the region in 2020. Someone calls, texts, or emails claiming to be someone you know, saying they need money. “Money for a nonprofit, money because you’d been kidnaped, money for any particular reason,” said Molina.

Sometimes the scammers will skip the emails and create fake profiles of real people on platforms like Facebook or LinkedIn. They add people they know to make the pages look real and then ask them for money.

Fraudsters continue to get more sophisticated, targeting individuals, as well as nonprofits and large companieseven an oil pipeline.

For example, Philabundance fell victim to an elaborate cyberattack last year. According to The Philadelphia Inquirer, cybercriminals gained access to sensitive information to control email filters. Then, they impersonated a contractor Philabundance worked with while blocking the actual company’s email. With a fake invoice, the imposter tricked the nonprofit, which provides food to those in need, into sending close to $1 million.

And cybercriminals left the King of Prussia-based Universal Health Services scrambling last September during a ransomware attack. In some cases, hospitals had to divert patients elsewhere as they were locked out of their own information systems. Returning to normal operations took about three weeks and racked up $67 million in pre-tax losses, according to trade publication HIPAA Journal.

The confusion brought on by the COVID-19 pandemic gave cybercriminals new entry points for scams. They sent out emails advertising personal protective equipment when it was in short supply, as well COVID-19 treatments, with links to websites loaded with malware ready to steal personal information — another possible explanation for my fake website, Molina said.

“The bad guys were also locked and home and more bored than ever with more time in their hands than ever before,” added Molina.

Why do scams keep increasing?

“People just don’t listen,” said Jason Thatcher, who holds the Milton F. Stauffer Professorship in the Department of Management Information Systems at the Fox School of Business of Temple University.

Thatcher says developers have created educational programs that teach people cues to look out for or send test phishing schemes to see who falls for them.

“We just haven’t figured out how to crack the nut of how to train people effectively in a way that they’ll internalize it and they believe in it … For whatever reason, there’s this 1 to 2% of the population that just doesn’t listen,” he explained.

And it’s not as though the scams are going anywhere. According to cybersecurity company Proofpoint, phishing attempts spiked again in late June as “delta variant” became a popular search item on Google.

Ok, so what can we do to prevent them?

  • Be suspicious of emails that sound urgent. Whether it’s the CEO of your company or a relative, be wary of emails asking for sensitive information in a hurry. Experts say it doesn’t hurt to take the extra minute to call that person to verify they sent the message.
  • Look for typos. Scammers will create websites that look legitimate, but the email address might be one letter off (i.e. Microsoft becomes “Micosoft.”)
  • Report your grievances. Molina said it’s likely incidents of phishing and malware attacks are underreported because most everyday people don’t know where to go to report them.

“No one wants to admit they happen,” adds Thatcher of company breaches. “There’s not an FCC requirement to know what sort of phishing attack happened there.”

The result is the public only learns about cyberattacks if they affect a business operation.

Experts suggest reporting an attempted attack because it can help agencies spot emerging trends.

Phishing emails can be reported to the Federal Trade Commission (reportphishing@apwg.org) and phishing text messages can be forwarded to SPAM (7726).

If you have already been a victim of a cybercrime, you can file a complaint with the FBI’s Internet Crime Complaint Center.

State attorneys general offices also collect this information through their consumer protection bureaus and may be able to help you gain some restitution.

If someone is impersonating you on Facebook or another social media platform, you can report it to those companies. Domain registrars like GoDaddy have abuse reporting forms, though if someone is sitting on the domain with hopes of selling it to you at an exorbitant price, Molina says this will likely make the scammer realize the site has value.

Keatron Evans is the principal security researcher for Infosec Institute, a cybersecurity education company, and said it’s not too late to get serious about your safety.

“Treat your identity like you treat your credit. You have credit monitoring services. Do a watered down version of that on your own with your identity,” said Evans. “Google yourself, look to see what’s out there.”

Free, open-source tools like Maltego can also help scrape the internet for any new mentions of you online, said Evans.

Get daily updates from WHYY News!

Want a digest of WHYY’s programs, events & stories? Sign up for our weekly newsletter.

Together we can reach 100% of WHYY’s fiscal year goal