Scammers Target Remote Workers with Email Phishing Campaigns

By Lindsay Scott and Kathie McDonald-McClure

According to a recent USA Today article, the Federal Trade Commission (FTC) reported that it had received 83,858 fraud reports this year through August 9th relating to COVID-19 and the economic stimulus packages. Many of these fraud reports are connected to email phishing campaigns that target remote, telework or furloughed employees.

In one type of phishing campaign, scammers send emails to workers telling them that their employment is being terminated as a result of COVID-19 and purports to offer termination package options. These termination email scams provide clickable links inviting the employee to attend a teleconference meeting or to obtain additional information concerning the termination packages. Instead, these links download malicious software or require the employee to enter personal information, such as a Social Security number, in an attempt to steal their identity and ultimately commit financial fraud that harms the employee. Employees who receive a suspicious email telling them they are being terminated should notify their human resources department or other designated person in the organization.

In another phishing campaign, scammers send emails that purport to perform COVID-19 contact tracing and ask for money, credit card information, or Social Security numbers. Legitimate contact tracers need information about health and contacts, not money or personal financial information. On its Consumer Information blog, the FTC offers these tips to avoid falling prey to a contact tracing scam:

  • Don’t pay a contact tracer.
  • Don’t give your Social Security number or financial information.
  • Don’t share your immigration status.
  • Don’t click on links or download anything sent from a purported contact tracer.

Employers should consider alerting their workforce about the heightened risk of phishing scams during the COVID-19 pandemic, and provide training on how to identify such emails and how to safely report them. If you are an employer and think your workforce has been targeted with one of these phishing campaigns, you can report the suspected activity to the FTC here. For additional information on COVID-19 phishing scams and FTC guidance and tips on how to spot malicious emails, go to the FTC’s Coronavirus Advice for Consumers webpage.

To read more on protecting your remote workers, see our article, Data Security in the “New Normal” of Teleworking. For guidance on responding to a cybersecurity incident within the first 24-48 hours, see our Six Tips, which can also be found on the blog’s Data Incident Response Team tab. For information about Wyatt’s Data Privacy & Security Incident Response Team, see the tab on this blog to the Data Incident Response Team and our Data Privacy & Incident Response Team brochure.