ALPS blog

Mutated Scams: How to Protect Yourself from Pandemic-Fueled Cyberfraud

Users are more likely to trust technology today than a year ago. Since the pandemic started, devices and apps have been integral tools for school, work, shopping, and even staying connected with friends and family. All aspects of life have become a little bit more digital.

Unfortunately, crime adapted as well. Many real-world scams were no longer possible because criminals were in lockdown along with their potential victims. In response, they digitized and scams became cyber-enabled. This evolution was similar to the digital transformation that normal businesses had to go through in 2020. According to a recent Trend Micro survey, 88% of businesses accelerated their cloud migrations last year. Digital transformation plans were pushed forward in response to the pandemic.

Scammers took advantage of the surge in online commerce and payments, and also heavily targeted businesses and buyers that were settling into new ways of transacting. As illustrated in this report, victims across the world have lost millions to these reinvented scams.

Four Types of Pandemic-related Cyberfraud

The evolution of these crimes shows how regular criminals took advantage of circumstances surrounding the health crisis, and how they were forced to digitize due to global lockdowns. We found that these scams targeted the technologies and activities that have become popular during the Covid-19 pandemic.

We classified them into four categories: online shoppingfood delivery apps, messaging apps, and government assistance.

Scams related to these categories were found across several countries and continents. The range of examples gives an idea of how criminals might be targeting people in different areas. Alongside information on how these new scams work, we provide recommendations to help users avoid becoming victims. We also predict whether these new forms of crime will stay active after the world opens back up.

Online Shopping Fraud

You may be familiar with scammers mimicking real online retailers to phish for your credit card information and other personal information. But rather than spoofing well-known brands, criminals took advantage of the surge in online shopping to build their own online shops to facilitate fraud. These shops are unrelated to any existing stores. Their products are advertised on social networks with prices that are lower (but not unbelievably lower) than real shops, usually offering discounts of 10-20% on popular products.

One good example is a Brazilian online store, which has several red flags:

  • The store has more than 100 user complaints posted in a Brazilian public portal, usually regarding undelivered packages. 
  • The products are not displayed on the site. There are only direct links to the products, and the links are from social media advertisements. 
  • There is a basic grammatical error in the text shown under the “Contact” form. The Portuguese word “apostos” should be written as “a postos.” A Google search of this text reveals other fake online shops with the same text in their Contact pages. 
The shop’s profile on "Reclame Aqui" website
Figure 1. The shop’s profile on “Reclame Aqui” website
The shop’s "Contact us" page
Figure 2. The shop’s “Contact us” page
Google search results for the text used in the shop’s "Contact us" page
Figure 3. Google search results for the text used in the shop’s “Contact us” page

The gangs involved with these scams are clearly well organized. They have people who respond to victims’ complaints, usually with the line “We’re working on it and you should receive your package soon.” Sometimes, these groups actually deliver some orders. This way, the shop is reviewed as one that has low-quality service but avoids being classified as fake, making  it very hard to track the scammers.

According to the Federal Trade Commission (FTC), victims lost USD 420 million in 2020 from online store sales that did not deliver the products.

How to avoid online shopping scams

  • Before buying from an ad on social media, do a basic online search for the store name. See if there are user complaints or obvious red flags, such as obvious grammar mistakes.
  • Be suspicious if a small shop can offer bigger discounts than well-established stores. If it sounds too good to be true, it probably is.
  • Select a significant portion of the text from the shop website section and search for it on the internet. If other online stores share the same content, it may be a sign of fraud.

New Food Delivery Fraud

During the pandemic, hundreds of thousands of people lost their jobs and sought new lines of work. Delivery services of all kinds became hugely popular and were great resources to help restaurants and businesses remain open while individuals were not able to visit stores. According to Statista, the number of smartphone food delivery app users increased from 36.4 million users in 2019 to 45.6 million users in 2020, showing an increase of over 25%. As a result, we observed a whole new category of food delivery fraud cropping up.

Expensive Meals

There has been a significant increase in the number of people registering to become delivery drivers for food apps, and delivery companies have the difficult task of vetting these new employees. We observed a new fraud that became extremely common during the pandemic in South American countries, especially in Brazil.

The scam works as follows: a newly registered driver waits for their first order, accepts it, and goes to the restaurant to pick it up. The driver then calls the user posing as an employee of the restaurant and pretends that there was a problem with the delivery app, but the restaurant can send their own delivery person instead. The impersonator asks the customer to cancel the order in the food delivery app, so the user can get a refund. If the user agrees to this, the driver proceeds to the user’s address.

An example of a PoS tool used by the scammers
Figure 4. An example of a PoS tool used by the scammers

On arrival, the driver has the food order and a Point-of-Sale (PoS) terminal that (conveniently) has a broken display. This allows the driver to input a much higher payment price in the PoS terminal – something like a hundred times the value of the order — and the victim can’t read the display. The driver doesn’t give a receipt and gets away as quickly as possible, leaving the customer, restaurant, and delivery app company clueless.

In August 2020, one town in Brazil registered approximately US$100,000 in losses from this scheme.

How to avoid food delivery fraud

  • If you receive any calls after you ordered some food via a delivery app, pay attention. The apps usually have a chat feature that both the restaurant and the driver can see and everything there is stored. Why would a restaurant or driver call instead of using it? Stay alert.
  • Payment should always happen via the app. No exceptions. If the driver or anyone else asks you to pay differently, it is better to cancel the order and open a new one.
  • If you’re going to pay with a credit card on arrival:
    • Never input your PIN in a PoS-terminal machine if you can’t see the amount on the screen.
    • Always ask for a receipt printed by the machine.

Other Fraud Affecting the Food Industry 

One particular type of fraud affecting the food industry during the pandemic makes use of stolen payment information. An attacker takes online orders (for food or goods) and accepts payment from the customer; but for the order itself, he uses stolen account information. The business model works as follows:


Scammer uses stolen credit information to pay for goods that he delivers to customer
Figure 5. Scammer uses stolen credit information to pay for goods that he delivers to customer

This type of scam has been reported in the US and Canada. The victim, in this case, isn’t the restaurant or the customer, but the owner of the credit card. Sift produced a great report on this happening specifically through Telegram.

According to credit analytics company Fair Isaac Corporation (FICO), fraud dollars spent on delivery increased by 49% from January 2020 to July 2020.

Threats Targeting Messaging Apps

Many people were already keeping in touch with friends and family virtually before the pandemic, but online communication during the crisis and its aftermath has become a necessity. One type of fraud that took advantage of this type of connectivity emerged in 2016, and then significantly increased in activity last year.

The first requirement for this type of scam is a compromised WhatsApp account. Criminals can get this by using stolen contact information to impersonate the victim and then convincing the carrier to activate the victim’s number in a new SIM (sometimes called SIM swapping). Or, they can convince a phone carrier employee to activate the victim’s number on a different phone.

After this first step, criminals activate WhatsApp on the new phone and start asking the victims’ contacts for favors. This usually involves a fake emergency and a request for a wire transfer to a friend’s bank account. The victim’s phone stays without signal during the fraud.

A conversation in Portuguese between a criminal (white) and the victim’s friend (green). The criminal asks for 2,500 Brazil Reals (approximately US$450). The victim's friend pays.
Figure 6. A conversation in Portuguese between a criminal (white) and the victim’s friend (green). The criminal asks for 2,500 Brazil Reals (approximately US$450). The victim’s friend pays.

Criminals adapted during the pandemic, taking advantage of the increase of offers on online selling sites where regular people put up goods for sale (similar to eBay), and started to run the following scheme:

Scammers find advertisements with telephone numbers and ask victim to "confirm" a code sent by SMS. When the victim sends them the code, they say "ad is confirmed."
Figure 7. Scammers find advertisements with telephone numbers and ask victim to “confirm” a code sent by SMS. When the victim sends them the code, they say “ad is confirmed.”

The code sent via SMS is actually from the WhatsApp backend — the criminals trigger this to try and activate the victim’s WhatsApp account on a different phone (using a SIM card with a different number). If the user sends them the code, criminals can access the victim’s WhatsApp account and start scamming their contacts.

This updated version of the 2016 scam is uniquely suited to pandemic circumstances since many buying and selling transactions have moved online. According to local reports, this scheme already victimized more than 5 million people in Brazil in 2020.

How to avoid scams that target messaging apps

  • Do not post your phone number publicly on the internet (ads, social profiles, etc).
  • Enable two-factor authentication for all your messaging apps.
  • If you are contacted by a friend that asks you for money, try to call him/her using the phone number (voice call) to confirm the story.

I Did Pay You!

The pandemic also heavily affected individuals buying and selling goods. Those at home with items to sell had to turn to online channels because of global lockdowns and quarantines. The pandemic’s economic impact also meant fewer buyers with disposable income.

This became a window of opportunity for criminals in Russia, where a Telegram bot was discovered in October 2020 with a unique feature. Based on legitimate sales information, it would generate a screenshot of a money transfer to Sberbank Online, a leading banking and financial services company in Russia.

Scammers create fake deposit slip screenshots to steal goods
Figure 8. Scammers create fake deposit slip screenshots to steal goods

The fake payment slip has the seller’s personal information (gathered through the normal pre-sale conversation) so it can look completely legitimate. The “buyer” (criminal) shares the screenshot as proof of payment and picks up the goods being sold.

For the seller, it would appear to be perfectly normal until they realize they didn’t receive payment for that transaction. A savvy seller might contact Sberbank about the missing payment, with the screenshot as reference, but the bank would have no record of the money transfer. And by that time, the “buyer” would have already erased his Telegram account.

While this exact scenario has only been seen in Russia using Telegram, to our knowledge, a similar scheme could work in other places. If the Telegram bot were replicated, or if something similar was created for Facebook Marketplace, this could be repeated to impact unsuspecting victims around the world.

Our recommendation for avoiding this particular type of scam is to request physical payment, or to fully verify payment is received before the goods are picked up or delivered to the buyer.

Threats Targeting Government Assistance

In Germany, loans of unlimited size were offered to businesses to help fill revenue gaps when the pandemic first peaked. This piqued the interest of local fraudsters, resulting in more than 25,000 cases of fraud. One man, in particular, stood trial for fraudulent claims amounting to more than US$3 million. The claims were submitted via digital forms, using false company information. In an attempt to stop the fraud, tax advisers were required to file the claims. This curbed the original issue, but criminals began filing claims for existing companies.

Germany wasn’t alone in this type of abuse. Unemployment fraud also rose significantly in 2020. More than US$36 billion was stolen by scammers filing false unemployment claims. A recent report explains how criminals used stolen personally identifiable information (PII) to impersonate Americans and receive unemployment aid. In these cases, the stolen PII is found in cybercriminal forums and used to submit forms digitally. While this could be done by any scammer, the criminals in this instance were located in Nigeria.

While scams against government funding are not new, these two particular examples were largely enabled by the pandemic. Criminals took advantage of the situation to steal available funds from the intended recipients.

Will This Type of Cyberfraud Continue After Covid-19?

From the frauds outlined above, we see how criminal groups can improve and adapt their modus operandi very quickly. It shows how citizens and businesses alike should be prepared for the uncertain and learn to protect themselves from digital threats.

This digital transformation of crime also raises a question: Will criminals continue with these scams after the world recovers from Covid-19? We predict they will. Digital versions of fraud allow criminals to work from home just like the rest of us. There is a high likelihood that these attacks will continue to work until more people are aware of the risks — this means there’s no need for criminals to abandon these new methods even when more physical crimes are accessible again.

In today’s world, almost all types of crime can have a cyber component, which means consumers need to stay alert. Consider the circumstances and contextualize the situation. Could this message be false? Could this website be fake? Could this person I’m talking with be lying? How can I verify all of that? These are questions that should be asked before giving out any type of personal data or payment information.

With additional insights from Vladimir Kropotov and Martin Roesler


Featured News