Fake COVID-test emails are scams to steal your credit card info

Demand for at-home COVID tests has surged along with the highly contagious omicron variant. Now cybercriminals are trying to take advantage of people searching for those kits by using scam emails to lure them to fake websites that steal credit card and other personal information.

Cybersecurity experts warn that scammers are sending out millions of test-related emails and tempting consumers searching for COVID test-related information with bogus websites. A new wave of demand — and scams — was spurred by the rise of the highly contagious omicron variant. The recent launch of a government website offering free test kits also has the potential to spawn knockoff sites, according to the Better Business Bureau.

"The bad guys are really good at staying on top of what's topical," said Michael Flouton, vice president of product management at Barracuda Networks, which specializes in email security. "As the pandemic has evolved, so have they."

Scams exploiting consumer interest in at-home tests are just the latest in COVID-related grifts. Emails started popping up at the beginning of the pandemic and spiked in March 2020, when stay at home orders started going into effect. The rollout of vaccinations also brought a rise in vaccine-related scam emails.

Earlier this month, the US Department of Health and Human Services Office of Inspector General warned that scammers are using telemarketing calls, text messages, social media platforms and even door-to-door visits to spread COVID-related scams.

Now test-related scams are on the rise. Between October and January, the number of scam emails mentioning COVID testing jumped by more than 500%, according to a Barracuda Networks analysis of nearly 3 million spear-phishing emails sent during those months. 

The scam emails often offer to sell COVID tests or other medical supplies, such as masks or gloves, with some of those turning out to be counterfeit products, according to Barracuda. Other emails masquerade as notifications for unpaid orders for tests, and include links to PayPal accounts through which victims would be asked to complete their purchases. Sometimes, the emails are designed to impersonate labs, test providers or test results.

While some cybercriminals appear to be after corporate networks and other big targets, the vast majority are designed to steal banking and login credentials from everyday people, according to Barracuda.

Impersonation or brand-abuse attacks, in which criminals try to pass themselves off as legitimate companies, government agencies or people, have become a favorite of scammers. According to the cybersecurity company Outseer, which specializes in payment fraud protection, brand abuse attacks nearly tripled in the third quarter of last year on a year-over-year basis.

Armen Najarian, Outseer's chief marketing officer, says the objective is always the same, regardless of the entity being impersonated. 

"What they want is information," Najarian said of the scammers. "It's financial gain by way of information capture."

Seemingly harmless bits of personal information, such as names, home addresses and email addresses, can be used to bolster consumer profiles that could be used for bigger scams down the road, he said. If a victim hands over a set of login credentials, criminals can try those combinations against other online accounts, in hopes the victim used the same email and password for a banking or credit card account that can be pilfered.    

Given the pattern of scammer behavior, Flouton and Najarian both said they wouldn't be surprised to see scammers start impersonating the US Postal Service's legitimate free-test website with both phishing emails and lookalike websites.

Najarian notes that the USPS site, where consumers can order their four free tests, is very basic, makes clear that it's an official government site and only asks for the most necessary personal information including a name, email and mailing address.

As a result, any site that asks for anything else — like credit card information, email or social media login credentials — should be avoided. 

Flouton says consumers need to think before they click.

"Just always be skeptical, always be vigilant," he said. "Just know that no topic will be off limits to criminals."