Fraudsters are preying on people left desperate by the coronavirus pandemic, masquerading as government entities offering relief or tenders.They are doing it well, using web domains and documentation designed to look legitimate.Experts are warning that the scams will not stop, and people should look out for malicious campaigns.
Fraudsters are preying on people left desperate by the Covid-19 pandemic across the globe.
In recent months, scammers have masqueraded as the Public Investment Corporation (PIC), the South African Revenue Service (SARS), Transnet and provincial and national health departments.
One scam led the PIC to warn against responding to SMSs supposedly qualifying recipients for a fake PIC-sponsored Business Personal Relief Fund.
According to the PIC, if a person responds to the email address supplied, email@example.com, they receive an "approval" letter and will have to pay a "handling fee" before the alleged funds are deposited.
"The PIC is not sponsoring the alleged Covid-19 Business Personal Relief Fund and is of the view that this is an attempt by cunning and ruthless fraudsters whose ultimate goal is to take advantage of vulnerable people when the country is grappling with the coronavirus pandemic," it said in a statement.
Deon Botha, the PIC head of corporate affairs, told amaBhungane that the state-owned investment manager was notified of the scam on 5 May.
"So far, we have had two people report the scam, with one having responded to the scam. It was necessary for the PIC to act swiftly to ensure that people do not fall prey to fraudulent activities that perpetuate the PIC's name and brand," Botha said.
READ | Scam alert: Watchdog warns of bribes, fake prices for essentials
"This is the first scam of this nature we have been made aware of," he said, adding that the PIC has since alerted law enforcement agencies.
Last month, amaBhungane reported how scammers targeted businesses listed on Treasury's central supplier database; a scam tailor-made for the coronavirus pandemic.
This PIC scam, however, appears to be a resuscitation of earlier cons.
A domain name search shows that "thepub.co.za" has operated since May 1998 and has since been connected to several fax scams targeting job seekers.
One of the few remaining ads that contain an advert from the job scam email, firstname.lastname@example.org, is a 2014 advert advertising a position for a telemarketer with two years' experience. This email address was later added to three lists in 2015, 2016 and 2017 of emails connected to job fax scams.
JobMail warned of the fax scams in 2011 when a recruiter asked a person to fax their CV: "This fax number is set up to incur charges beyond standard rates. So, if you send your CV to this 'fake recruiter', you will be charged on your telephone bill at a very high rate."
These documents, as one person explained, could end up being over 20 pages long. The result? An expensive fax bill and a scammer with access to your detailed personal information.
Most of the time, IP addresses are accurate. But they can be manipulated, and data in domain registries can be outdated.
There are also Proxy IP addresses which are used to hide the hosts' true location.
A reverse IP address connected thepub.co.za with therubgy.co.za - suggesting at the very least they share a proxy server.
Like thepub.co.za, therugby.co.za has popped up in warnings against job fax scams from emails such as email@example.com, firstname.lastname@example.org and email@example.com.
Therugby.co.za also popped up in a widely reported 2012 scam where "Craig Adams" made reservations at Cape Town restaurants for parties of over 30 people and left either the South African Rugby Union or Cricket South Africa to pick up the bill.
The same address, therubgy.co.za, was used for a 419 scam in 2006 where a "US sergeant" asked American citizens to hold an undisclosed amount of money from Saddam Hussein.
... and SARS
Since the start of the year, SARS has warned South Africans against responding to "spoofed" emails and SMSs regarding tax returns, audit queries and missing income tax documents from domain names similar to the official SARS name, sars.gov.za.
The fraudulent messages, SARS said, "aimed at enticing unsuspecting taxpayers to part with personal information such as bank account details".
"For the period starting from 1 March 2020, there were 23 confirmed phishing attacks reported to SARS. All the fraudulent websites have since been taken down," said SARS head of communication Siphithi Sibeko.
He added that SARS received over 400 emails reporting phishing attacks from taxpayers since 1 March.
READ | Brace for more cybercrime as you work from home, experts warn
"The SARS Anti-phishing team ensures that fraudulent websites are taken down and fake sender email addresses are reported to the relevant ISPs [internet service providers]. Tracking the fraudsters is almost impossible. Fraudsters make use of compromised websites, fake email addresses, compromised email servers as well as anonymity networks to effectively hide their true identity."
The irony is that many of the scams look legitimate. A business owner who fell for the industrial sanitizer machine scam that amaBhungane reported on last month, provided us with evidence on how the scammers operate.
The fraud nearly cost him R405 000.
The business owner told amaBhungane that everything had seemed legitimate. "They even had the stamp on the documents."
He has since opened a criminal case with the police.
The bank which the scammers had used for this fraud has frozen two connected accounts.
... and Transnet
A Transnet scam is also doing the rounds.
On 2 January 2020 at 14:36, someone bought the domain name Transnetegineerings.net. It is almost an exact match to the legitimate website of Transnet's engineering division: Transnetengineering.net. The only difference is the additional "s".
In April, "Transnet" requested proposals for the supply of 31 Kerfax e400 Hospital beds via the transnetengineerings.net domain.
The request for proposal document mimicked legitimate tender documents, down to the name of staff in the procurement office.
AmaBhungane reached out to one of the staff members on the official Transnet address and the staff member confirmed the e400 Hospital bed request was a scam.
We contacted the landline number on the fake request for quotation document, and a "Transnet official" answered the call.
When we asked why Transnet needed hospital beds, the operator told us they would be donated to the state-of-the-art Steve Biko Academic Hospital in Tshwane.
AmaBhungane got hold of the hospital's procurement staff, who rubbished the idea that Transnet would provide the hospital with more beds: the hospital currently has over 800 hospital beds, plus an additional 53 ICU beds, 21 High Care beds, 61 observation beds, and 108 beds in the oncology complex.
And the owner of the website? The only trace we could find was a March 2020 classified ad for sex work.
Uptick in scammers and malware - report
International cybersecurity company Mimecast monitored the first 100 days of lockdown and found a global increase in "coronavirus-related spam and impersonation attack campaigns" preying on the vulnerability of people at home and "taking advantage of their desire for information about the coronavirus pandemic to entice them to click on unsafe links".
"Traditional fraudsters are also using spam to offer fake or non-existent goods such as protective masks or Covid-19 cures," the report noted.
Mimecast said it detected a 26% increase of opportunistic scams, a 30% increase of impersonations, 35% in malware and 55.8% increase in blocked URLs and malicious software from January this year to the end of March.
Towards the end of March, Mimecast had blocked the delivery of over 83 million Covid-19 related emails as spam/opportunistic since January this year.
One case involved an impersonation of the US Centres for Disease Control and Prevention where the scammer tried to engage the public on clicking links that would reveal coronavirus cases in their area.
Other scams tried to persuade users to reveal their personal logins for working platforms such as Microsoft's One Drive.
The report's authors said they believed that the attacks would continue throughout the crisis, targeting people's fears as they were furloughed from work and their cash flows dried up.
The next round of malicious campaigns would most likely take form in organisations helping travellers recoup expenses from cancelled trips or like in the case with the PIC scam, through connecting people to a government grant.
Advocate Jacqueline Fick, a local expert in electronic fraud, asked people to err on the side of caution:
"Phishing emails are set up to deceive the recipient and convince you to divulge information or to get you to act on the request in some other form. In these tough economic times, it becomes even more tempting to respond to such requests. At the best of times it can be difficult to distinguish between a fake and legitimate email.