Skip to content

First comes the coronavirus, then comes the fraud

Are scammers ruining your customer experience?

E-book: "Don't Forget Your Customer When it Comes to Fraud"


With millions in the U.S. and around the world holed up at home in the midst of the COVID-19 pandemic, the groundwork for future fraud schemes appears to be underway, according to a number of experts.

Cyber attacks — such as phishing, malware distribution and brute force login attempts — aimed at stealing sign-on credentials are particularly on the rise, security experts say. 

“Cybercriminals will often take advantage of trending topics in the news, such as the coronavirus, to try and prey on consumers using fear and urgency tactics,” Gary McAlum, senior vice president and chief security officer for USAA, told American Banker.

What you need to know
  • Since the COVID-19 outbreak, cyberattacks appear to be on the rise. Criminals are turning to phishing scams, malware distribution and brute force log-in attempts, in which bots try to log on until they find the right combination of credentials.
  • Security experts warn that consumers are particularly susceptible to such attacks in times of natural disaster and, yes, in the midst of a pandemic. With many more people working from home, the surface area for attackers has expanded.
  • Retailers, as well as consumers, need to remain vigilant, because stealing identities can be the first step in launching widespread online fraud attacks. Retailers also have an opportunity to help educate customers, so the initial attacks against consumers are not successful in the first place.

Experts say times of anxiety and crisis are prime time for the attacks, which trick people into disclosing log-in credentials by sending an authentic-looking email from a company or organization the recipient is familiar with. The credentials are then used in account takeover fraud (ATO) attacks in which criminals seize consumers’ online accounts and make unauthorized purchases. 

And with the coronavirus forcing many to spend their days at home, fraudsters have the advantage of a captive audience — literally.

“People are at home and they are probably accessing the internet more,” says Ping Li, Signifyd’s head of risk operations. “Everybody is relying on online — online shopping, online communication. You’re online much more.” 

Be skeptical when receiving COVID-19-related emails

In fact, cybersecurity companies Fortinet and Sophos this month identified particularly pernicious scams that appear to be helpful emails at a stressful time, ZDNet reports. One email appears to include information preventing the contraction of COVID-19 and another that claims to be a “Coronavirus Customer Advisory” containing a PDF that explains shipping delays due to the virus. The PDF, in fact, is a piece of malware.

Consumers are more likely to respond to malicious emails during the health crisis, because they are hungry for information about the virus. Especially tempting are a number of bogus emails that appear to come from the World Health Organization or the Centers for Disease Control and Prevention. 

The ecommerce fraud implications of these attacks, of course, are yet to be fully realized. Stealing credentials is only step one. 

“The phishing attack is to harvest the account,” Li says. “So in the future, we should expect waves of ATO attacks, where fraudsters put those accounts to use against merchants.” 

Retailers can help protect consumers from coronavirus scams

This vulnerable period is a chance for retailers to reach out and support consumers by offering guidelines and advice on preventing digital missteps, Li added. Merchants could consider adding a web page or section with reminders not to click on links in suspicious or unexpected emails. Guidance on password hygiene would be helpful for consumers. And it might ultimately spare retailers the inconvenience and potential financial losses related to being a victim along with customers of ATO attacks.

Some nudging is likely needed, as many of us know from our own password practices. Moreover, in a late 2018 survey of consumers, Signifyd found that 43.1% use no more than four passwords across all their online accounts. And 41.7% said they don’t change their passwords on retail accounts once they are established. Experts, of course, recommend using unique passwords on digital sites and changing them frequently. 

Like so much in the time of COVID-19, the prospect of increased fraud and cybercrime calls for vigilance. It’s possible online retailers aren’t seeing heightened fraud pressure yet. But it is likely coming and they should make sure their fraud teams or fraud protection systems are prepared for what could be on its way.

Photo by Getty Images

Mike Cassidy

Mike Cassidy

Mike is the head of storytelling at Signifyd. A former journalist and a retail geek, he covers ecommerce and the way technology is transforming digital commerce. Contact him at [email protected].