Content, Content

Covid-19 Relief Aid Confusion Spikes Spam Emails on Small Businesses

Nearly 40 percent of small business owners believe they’ve been targeted with malicious coronavirus (Covid-19) spam emails, a recent IBM Security study found.

Uncertainty about the availability and allocation of financial relief funds has confused small business owners while simultaneously creating new opportunities for cyber attackers to prey on unsuspecting victims, the 2020 Consumer & Small Business COVID-19 Awareness survey, co-authored by IBM and researcher Morning Consult, said. Among the 200 small business owners represented in the study of some 2,300 participants, 42 percent were unfamiliar with small business loans offered by the government to mitigate Covid-19 related losses.

The report, which stresses small business and consumer awareness of Covid-19 spam campaigns (a specialty of managed security service providers), aims to strengthen their understanding of legitimate channels government uses to communicate with constituents. Since mid-March, Covid-19 related phishing lures mimicking the Small Business Administration (SBA), the World Health Organization (WHO), banks offering relief funds, the U.S. Federal Reserve and other government organizations, have spiked by 6,000 percent, according to the report. For example, spam that impersonates the SBA and promises government relief funds trick victims into opening a spoofed application attachment that triggers a malware infection, the report showed.

Here are some of the major findings from small businesses in the report:

  • 58% are familiar with small business loans offered by the government to mitigate Covid-19.
  • 14% are very knowledgeable about accessing the small business loan relief program from the government.
  • 37% have received unsolicited Covid-19 related emails they suspected were malicious spam.
  • 57% expect to receive official information about Covid-19 via email.

And, some key findings from consumer respondents:

  • 46% expect to receive official information on Covid-19 via email.
  • 33% expect to receive official information on Covid-19 by the U.S. postal service.
  • 35% expect to receive communication from the IRS by email.
  • 33% expect to receive communication from the WHO by the U.S. postal service.
  • 52% would open an email related to their stimulus relief eligibility.
  • 39% would open an email about Covid-19 testing near them.
  • 64% of recently unemployed are most likely to engage with an email related to their stimulus relief eligibility.
  • 45% receive 1-5 unsolicited emails related to Covid-19; 12% receive 6-10 emails; 22% receive no unsolicited emails per day.

"The data and intelligence should remind us that there is no honor among thieves,” the report reads. “Cyber criminals will continue to view times of uncertainty as an opportunity, seeking new ways to exploit targets when they have their guard down.”

To reduce the “risk of falling victim” cyber attacks, IBM recommends the following:

  • Use trusted sources. Go directly to the website of the organization instead of clicking on links to redirect you there.
  • Never open attachments or links from unknown sources.
  • Do not engage with unsolicited emails or texts pertaining to Covid-19 small business relief or other federal funding assistance.
  • For security reasons, the IRS will never email or call people. Communications are sent via U.S. mail.
  • Beware fraud speak, including peculiar use of words, odd spelling and typos in emails.
  • Update and patch. Nearly 90 percent of vulnerabilities spammers exploited in 2019 were traced to known vulnerabilities.
  • Use multi-factor authentication (MFA) on anything that enables remote access such as a bank or credit card account.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.