- Fraudsters are preying on people left desperate by the coronavirus pandemic, masquerading as government entities offering relief or tenders.
- They are doing it well, using web domains and documentation designed to look legitimate.
- Experts are warning that the scams will not stop, and people should look out for malicious campaigns.
Fraudsters are preying on people left desperate by the Covid-19 pandemic across the globe.
In recent months, scammers have masqueraded as the Public Investment Corporation (PIC), the South African Revenue Service (SARS), Transnet and provincial and national health departments.
One scam led the PIC to warn against responding to SMSs supposedly qualifying recipients for a fake PIC-sponsored Business Personal Relief Fund.
According to the PIC, if a person responds to the email address supplied, firstname.lastname@example.org, they receive an "approval" letter and will have to pay a "handling fee" before the alleged funds are deposited.
"The PIC is not sponsoring the alleged Covid-19 Business Personal Relief Fund and is of the view that this is an attempt by cunning and ruthless fraudsters whose ultimate goal is to take advantage of vulnerable people when the country is grappling with the coronavirus pandemic," it said in a statement.
Deon Botha, the PIC head of corporate affairs, told amaBhungane that the state-owned investment manager was notified of the scam on 5 May.
"So far, we have had two people report the scam, with one having responded to the scam. It was necessary for the PIC to act swiftly to ensure that people do not fall prey to fraudulent activities that perpetuate the PIC’s name and brand," Botha said.
"This is the first scam of this nature we have been made aware of," he said, adding that the PIC has since alerted law enforcement agencies.
Last month, amaBhungane reported how scammers targeted businesses listed on Treasury’s central supplier database; a scam tailor-made for the coronavirus pandemic.
… and SARS
Since the start of the year, SARS has warned South Africans against responding to "spoofed" emails and SMSs regarding tax returns, audit queries and missing income tax documents from domain names similar to the official SARS name, sars.gov.za.
The fraudulent messages, SARS said, "aimed at enticing unsuspecting taxpayers to part with personal information such as bank account details".
"For the period starting from 1 March 2020, there were 23 confirmed phishing attacks reported to SARS. All the fraudulent websites have since been taken down," said SARS head of communication Siphithi Sibeko.
He added that SARS received over 400 emails reporting phishing attacks from taxpayers since 1 March.
"The SARS Anti-phishing team ensures that fraudulent websites are taken down and fake sender email addresses are reported to the relevant ISPs [internet service providers]. Tracking the fraudsters is almost impossible. Fraudsters make use of compromised websites, fake email addresses, compromised email servers as well as anonymity networks to effectively hide their true identity."
The irony is that many of the scams look legitimate. A business owner who fell for the industrial sanitizer machine scam that amaBhungane reported on last month, provided us with evidence on how the scammers operate.
The business owner told amaBhungane that everything had seemed legitimate. "They even had the stamp on the documents."
He has since opened a criminal case with the police.
The bank which the scammers had used for this fraud has frozen two connected accounts.
… and Transnet
A Transnet scam is also doing the rounds.
On 2 January 2020 at 14:36, someone bought the domain name Transnetegineerings.net. It is almost an exact match to the legitimate website of Transnet’s engineering division: Transnetengineering.net. The only difference is the additional "s".
In April, "Transnet" requested proposals for the supply of 31 Kerfax e400 Hospital beds via the transnetengineerings.net domain.
The request for proposal document mimicked legitimate tender documents, down to the name of staff in the procurement office.
AmaBhungane reached out to one of the staff members on the official Transnet address and the staff member confirmed the e400 Hospital bed request was a scam.
We contacted the landline number on the fake request for quotation document, and a "Transnet official" answered the call.
When we asked why Transnet needed hospital beds, the operator told us they would be donated to the state-of-the-art Steve Biko Academic Hospital in Tshwane.
AmaBhungane got hold of the hospital’s procurement staff, who rubbished the idea that Transnet would provide the hospital with more beds: the hospital currently has over 800 hospital beds, plus an additional 53 ICU beds, 21 High Care beds, 61 observation beds, and 108 beds in the oncology complex.
And the owner of the website? The only trace we could find was a March 2020 classified ad for sex work.
Uptick in scammers and malware – report
International cybersecurity company Mimecast monitored the first 100 days of lockdown and found a global increase in "coronavirus-related spam and impersonation attack campaigns" preying on the vulnerability of people at home and "taking advantage of their desire for information about the coronavirus pandemic to entice them to click on unsafe links".
"Traditional fraudsters are also using spam to offer fake or non-existent goods such as protective masks or Covid-19 cures," the report noted.
Mimecast said it detected a 26% increase of opportunistic scams, a 30% increase of impersonations, 35% in malware and 55.8% increase in blocked URLs and malicious software from January this year to the end of March.
Towards the end of March, Mimecast had blocked the delivery of over 83 million Covid-19 related emails as spam/opportunistic since January this year.
One case involved an impersonation of the US Centres for Disease Control and Prevention where the scammer tried to engage the public on clicking links that would reveal coronavirus cases in their area.
Other scams tried to persuade users to reveal their personal logins for working platforms such as Microsoft’s One Drive.
The report’s authors said they believed that the attacks would continue throughout the crisis, targeting people’s fears as they were furloughed from work and their cash flows dried up.
The next round of malicious campaigns would most likely take form in organisations helping travellers recoup expenses from cancelled trips or like in the case with the PIC scam, through connecting people to a government grant.
Advocate Jacqueline Fick, a local expert in electronic fraud, asked people to err on the side of caution:
"Phishing emails are set up to deceive the recipient and convince you to divulge information or to get you to act on the request in some other form. In these tough economic times, it becomes even more tempting to respond to such requests. At the best of times it can be difficult to distinguish between a fake and legitimate email.
This story was amended after publication to excise information about earlier scams that appeared to be connected to the PIC scam. The apparent connections did not withstand scrutiny.