COVID test kits scam, hurricane recovery and charity scams, and AI email security gaps

Sam Benson received a text message saying that he could order four new COVID test kits for $20. All he had to do was wire the money to a given account and provide his home address and his bank account transfer number. He followed the instructions. Two weeks later, he hadn’t received the tests, and his bank account was empty.

This is a fictional case, but it’s representative of a real problem. In October 2024, the U.S. Federal Trade Commission (FTC) announced the availability of free COVID test kits from COVIDTests.gov. Citizens only need to provide their names and shipping addresses; they can provide email addresses if they want confirmation and delivery updates. The agency said anyone who asks for additional information or payment is a scammer. (See “How to order free COVID test kits from the federal government and avoid the scammers,” by Eunice Kim, FTC, Oct. 2, 2024.)
Scammers, of course, are impersonating the U.S. government to steal personally identifiable information (PII) and other financial data.

The FTC provides this advice to avoid scammers:

• Don’t click links in unexpected emails or text messages, no matter how real they look.
• When you click to order tests at COVIDTests.gov, the only legitimate portal, you’ll go to special.usps.com/testkits.
• Don’t provide your credit card, bank account or Social Security number to anybody who says they’re representing the government. No one will call, text or email you from the government to ask for your information to “help” you order free test kits.

As always, if you spot a scam, tell the FTC at ReportFraud.ftc.gov.

Hurricane recovery scam

What comes after hurricanes? Storm surges … and fraudsters who have a long history of using their schemes to steal PII and money from devastated victims who might make hasty decisions when trying to recover their losses from disasters.

The FTC provides advice to victims of any disaster:

• Spot imposter scams. Scammers might pretend to be someone “official” like safety inspectors or someone from the government. But anyone asking you for your money or PII right away is a scammer. Don’t give them money. Ask for identification and verify who you’re dealing with.
• Spot Federal Emergency Management Agency (FEMA) impersonators charging application fees. If someone asks you for money to help you qualify for FEMA funds, it’s a scam. That’s not how FEMA works. Instead, download the FEMA Mobile App to get alerts and information.
• Spot home improvement and debris removal scams. Unlicensed contractors and scammers may appear in recovery zones with promises of quick repairs or clean-up services. Walk away if they demand cash payments up front or refuse to give you copies of their licenses, insurance and contracts in writing.

(See “Recovery Scams will follow Hurricane Helene. Here’s how to spot them,” by Jim Kreidler, FTC, Oct. 1, 2024. Check out resources for Hurricane Helene from FEMA in English and Spanish.)

People might be eager to help victims of hurricanes Milton and Helene that devastated parts of the southern U.S. in late September and early October 2024, but they should be wary of charities seeking donations. Fraudsters love an opportunity to profit off disaster by masquerading as legitimate organizations seeking relief funds from the public. Criminals often establish fake charities to steal money and PII from generous donors, which can then be used to further exploit victims through identity theft schemes. According to the IRS, fake charity promoters create fake emails and websites or “spoof” legitimate charity phone numbers to solicit donations from well-meaning citizens. The IRS provides the Tax-Exempt Organization Search (TEOS) tool on IRS.gov to help you find and verify legitimate charities. (See “IRS: Beware of fake charities; check before donating,” IRS, Oct. 23, 2023 and “Search for tax exempt organizations,” IRS.)

Along with verifying whether a charity is the real deal with TEOS, the IRS provides the following tips to avoid charity scams:

• Don’t feel rushed to give money. Charity scammers often use the urgency of a situation to pressure people into donating money. If someone claiming to be from a charity is pressuring you into giving money, it’s best not to make an immediate payment.
• Keep personal information to yourself. Because charity fraudsters are also looking for PII, steer clear of an organization that’s asking for more information than necessary for your donation to a worthy cause.
• Don’t pay with gift cards or by wiring money. Legitimate charities won’t ask for a donation via gift card or have you wire them money. Writing a check or paying with a credit card — after you’ve verified the charity — is generally a safe bet.

Email security gap problem

One sure and unchanging identity theft fact: We’re in a constant battle between threat actors and security defenders in cybersecurity. Organizations use artificial intelligence (AI) to power their defenses, and threat actors use it to improve their threat tactics. Problems arise when organizations can’t keep up with the threat actors, creating gaps in security.

The FBI has warned of an escalating threat of cyber criminals using AI tools to conduct sophisticated phishing/social engineering attacks.

The FBI has warned of an escalating threat of cyber criminals using AI tools to conduct sophisticated phishing/social engineering attacks.

(See “FBI Warns of Increasing Threat of Cyber Criminals Utilizing Artificial Intelligence,” FBI San Francisco, May 8, 2024.) An Oct. 11, 2024, SC Media article reported that threat actors use AI to bypass even the most popular and secure email gateways (SEGs), such as Microsoft and PowerPoint, to reach people’s inboxes. SEGs use learning algorithms to identify patterns and block malicious emails. According to the SC Media article, model-based SEGs provide a more advanced approach to email security than traditional rules-based SEGs, which use predefined rules and signatures.

SC Media research found a staggering 104% increase in malicious emails landing in end-user mailboxes. The AI-powered phishing attacks are getting harder to detect because of these factors, according to SC Media:

• AI analyzes vast amounts of data from numerous sources, such as social media, to mimic people’s communication styles. Because of this, cyber criminals create hyper-personalized emails that can slip past security controls and deceive recipients.
• AI algorithms track people’s behavioral patterns and can figure out when people are more likely to be distracted or tired — and more susceptible to phishing attacks.
• Automation technologies powered by AI generate large volumes of phishing emails in short amounts of time. Cyber criminals are then able to learn from previous attacks so that they can become highly effective at bypassing security controls.
• AI can make phishing emails look like the real thing and eliminate traditional indicators of fraudulent correspondence such as spelling, grammar and language errors.

The SC Media article provides the following methods to involve employees in email security:

• Organizations must adopt a multifaceted approach that combines defensive AI with human intelligence.
• Companies empower their employees via security awareness training (SAT) so they can become active participants in cybersecurity defenses and close gaps left by model-based SEG approaches.

By investing in SAT, companies empower their teams to surpass basic awareness and specifically train employees to identify and report on emerging threats — the kind that even AI-based defensive tools miss. Employees are a vital first line of defense against phishing attacks. By bridging this AI gap with strong human intelligence layers, organizations can significantly strengthen their overall cybersecurity posture against AI-enhanced threats.

(See “How AI created an email security gap,” by Josh Bartolomie, SC Media, Oct. 11, 2024.)

I’m here to help

Please use this information in your outreach programs and among your family members, friends, and co-workers.

As part of my outreach program, please contact me if you have any questions on identity theft or cyber-related issues that you need help with or if you’d like me to research a scam and possibly include details in future columns or as feature articles.

I don’t have all the answers, but I’ll do my best to help. I might not get back to you immediately, but I’ll reply. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, is a distinguished professor of accounting and research at Central Washington University. He serves on the ACFE Advisory Council, the ACFE Editorial Advisory Committee and the ACFE’s inaugural CFE Exam Content Development Committee. In 2005 he received the ACFE’s Outstanding Achievement in Accounting award and the ACFE’s Educator of the Year award in 2006. Holtfreter was the recipient of the Hubbard Award for the best Fraud Magazine feature article in 2016. Contact him at doctorh007@gmail.com.