On August 7, Paul Galeski glanced down at his credit report and saw a hit from the Small Business Administration. Hmm…that’s funny. I don’t have any business with the SBA. He tried to inquire but couldn’t get a human being, so he filed a query online. He tried again in September. On October 27, he received a call from someone at his former company, Maverick Technologies, about a PPE loan that had been taken out in his name and the company’s name.
He had sold that company in 2016.
“A payment is due,” the woman in Accounts Payable informed him.
“There is no loan!” Galeski exclaimed. Then he hung up and called the FBI.
If he hadn’t learned about the loan when he did, he would have found out when the full $100,000 was due to be repaid.
Early last March, worry about COVID-19 took hold nationwide. By March 30, the FBI’s Internet Crime Complaint Center, fondly known as IC3, had received more than 1,200 complaints about scammers trying to capitalize on the pandemic. Phishing campaigns to extract money from first responders, cyberattacks on government agencies, ransomware crashing hospital systems, fake COVID-19 websites that sneaked malware onto people’s devices…. Meanwhile, rapists, pornographers, and pedophiles were taking advantage of children stuck at home on their computers.
The local FBI office swiftly set up an Eastern District of Missouri COVID-19 Task Force, pulling together 18 federal law enforcement agencies to track movement of money and compare case files.
By April 21, the complaints had tripled. Soon Google was blocking about 18 million COVID-related phishing emails a day. Hackers from China, Russia, and Iran began trying to penetrate computers in labs that were developing coronavirus vaccines. Health care institutions, desperately working to protect and heal people, became easy targets. Ransomware believed to originate in Russia locked up hospital systems in at least three states and forced system shutdowns at Universal Health Services, which owns 400 facilities across the U.S. and in the United Kingdom. A Chicago businessman was charged with swindling more than $2.6 million from hospitals by pretending to sell them 1 million N95 respirators. Instead of delivering, he bought two Maseratis and a Land Rover.
For individuals, the points of vulnerability were the heightened anxiety, financial need, confusion, and loneliness. You may be feeling relieved right now, glad you weren’t one of the many easily duped victims. But if you enjoy reconnecting with old friends, respect authority, fear contagion and death, worry for others, trust your boss, give to charity, or use a computer, you’re vulnerable. And the scammers are getting better and better.
“Hello? This is a contact tracer from Public Health. I hate to have to tell you this, but you’ve been exposed to someone with COVID-19.” Actually, you haven’t been, but I’m about to steal your identity. Or send you a text with a link that, when clicked, will infect your phone with malware.
The panic of shortages opened the way for fraudsters to sell counterfeit masks, goggles, gowns, and face shields. Others offered fake COVID-19 test kits or fake antibody tests, or they promised free care, then demanded health insurance and financial information. Some impersonated doctors and demanded payment for treatments; others impersonated government officials and, after announcing that the person was required to get a COVID test, extracted information that they then used to bill insurance for tests and procedures the individual never underwent.
Apps promising to track the coronavirus allowed criminals to watch users through their smartphone cameras, listen through their microphones, or sift through text messages. The famous Johns Hopkins world map was copied in an app that installed malware on users’ computers. Scammers posed as the Centers for Disease Control and Prevention or the World Health Organization to go phishing. Robocalls flooded a county, telling people to call a certain number for information about their COVID test results. (When they called that number, their personal data would be taken.)
It got worse: A fake letter warned that children would be removed from the home because the parents had tested positive for COVID. In Louisiana, scammers would tell someone a family member was in the hospital exhibiting signs of the coronavirus—but could not be seen until a deposit was paid. Some thieves pretended to be a U.S. service member stationed overseas or a citizen quarantined overseas, asking people to send or receive money on behalf of themselves or a loved one battling COVID-19.
A woman in Florida answered the phone and was informed that someone would have to come to her home and test her and her husband. Other scammers showed up at people’s doors, announcing that they were there to clean the home. A “coronavirus inspector” talked his way into homes in Michigan. In September, an editor of The Verge received an email informing him that he had been recorded leaving his home, in violation of quarantine, and he now owed a fine of $59.
Fake drive-thru coronavirus testing sites popped up in at least seven states, and you’ve got to love the Louisville, Kentucky, city councilman who ran a group of alleged scammers out of town. A retired police officer, he’d heard about people dressed in protective garb swabbing drivers’ noses, so he showed up at a gas station parking lot where they had set up shop. A sign mimicked the American Red Cross logo, and the workers’ lanyards misspelled HIPAA, the legislation that ensures the privacy of health data. He herded the group all the way to I-65, where they headed north toward Chicago.
According to the U.S. Treasury Department, tens of thousands of new website domains including the words “quarantine,” “vaccine,” “CDC,” “coronavirus,” “covid19,” and the like in the name were registered this year. These sites often advertised fake vaccines and cures (and sometimes delivered malware in the process). A fake website for a leading Brazilian brewery publicized the distribution of free hand sanitizer—even as it infected visitors’ computers.
On the dark web, people could find offers of blood or saliva from a “coronavirus survivor.” In broad daylight, teas, essential oils, cannabinol, colloidal silver, and IV vitamin C therapies were hawked as antiviral. By late February 2020, Amazon had already barred 1 million products for false coronavirus claims. A pharmacist in Kansas, meanwhile, used forged prescriptions to obtain opioids, amoxicillin, and hydroxychloroquine, intending to stockpile them for herself and her family in case anyone was exposed to or infected by the novel coronavirus. (They wouldn’t have done any good anyway.)
Investors eager to capitalize on the virus were promised “guaranteed returns” if they invested in a new company that made, say, PPE—except that the company didn’t exist. Classic “pump and dump” schemes rushed investors to buy stock in companies that did exist and were being touted as able to prevent, detect, or cure COVID-19. The swindlers had already bought the stocks, typically for $1 or less per share. After the hype jacked up the price, they dumped their own stock for a profit and left their victims holding useless overinflated shares.
Even an investment group that is part of the world’s largest insurance company tried to capitalize on the crisis. The chief economist of Allianz Global Investors earnestly warned CNBC that people needed to take the pandemic seriously and resist any inclination to “buy the dip.” Then three Allianz funds did just that, allegedly setting themselves up to cash in the minute the “fear index” dropped. They miscalculated, losing billions of dollars for retiree funds for teachers and public workers across the country.
People who were trying to give to charity, not make a buck, got scammed, too. So did entire towns. One Massachusetts town lost $522,000 when a spearphishing cyberattack misdirected the money to a third party.
Deals and steals worked beautifully as lures. A Trojan text message offered free groceries from Target in this stressful time. Other messages offered free fast food meals and coupons to government employees or free Costco goodies as part of a “stimulus package” for loyal customers. All manner of stuff was hawked online, from cars at incredibly low prices to summer vacation home rentals (pent-up demand made them a hot commodity) to—wait for it—puppies. A citizen of Cameroon who was studying in Romania set up Lovelyhappypuppy.com and falsely claimed to have shipped purebred puppies to their eager purchasers—then told them their new puppies had COVID-19 and demanded more money for the nonexistent dogs.
There were jury duty scams, with fake law enforcement officers collecting fake fines for missing jury duty. Lottery scams—You won! Websites made to look like Netflix. Blackmail attempts that demanded payment in bitcoin. Fake utility companies presenting overdue bills that had to be paid immediately or your power would be shut off. Fake FedEx and UPS shipping companies demanding personal information. Fake messages with “census forms” that had to be filled out to receive a stimulus check. A fake White House message announced that Tax Day had been delayed until August 15 and included a link that the recipient could click to view the president’s updated guidelines on coronavirus. Texts announcing (fake news) a national quarantine.
All the people working from home opened fresh possibilities. Companies rented laptops for their employees, sometimes from other countries and loaded with malware. Hackers invaded remote desktop-sharing applications and used them as entry points into a company’s data. Zoom meetings were hijacked with pornography, hate, or threats.
For those who had lost their jobs, criminals impersonated banks and lenders, offering to help with debt or forgive student loans. Seniors were hit hard by the scams, sometimes with supposed pleas from grandchildren sick with COVID or stuck in quarantine. But college students were easy prey, too. In one scam, they were told to click a link and submit a university login to get an economic stimulus check.
They shouldn’t feel bad: In an apparent bitcoin scam, the Twitter accounts of no less than Elon Musk, Jeff Bezos, and Bill Gates were hacked. One scammer managed to impersonate a Roman Catholic bishop. And even the savviest corporate executives were vulnerable.
Brian Cummings
ST Louis Magazine Paul Galeski Portrait
Editorial portrait of Paul Galeski for ST Louis Magazine
When Galeski learned that his identity had been stolen, he spun into action, locking down his credit in all three bureaus and using CHEX to shut down checking accounts being taken out in his name, too. He closed down any unused credit cards, just to reduce attack vectors. He asked for maximum cybersecurity for all his financial services—not just two-factor authentication but voice recognition or other layers of protection. “It was all over the board—some had two layers and some had five,” he says. “There is no silver bullet, but the more barriers you put between yourself and the bad guys, the better off you are. I’ve thought about corporate security before, and personal security. What I had never considered was what could be done if someone triangulated the two and combined my personal information with my business information.”
It wasn’t over, either. He called his former CFO just to warn her that she might be next. A few weeks later, she called him. Luckily, she’d kept in touch with the person who bought her old house—and they had received correspondence addressed to her, noting an unemployment claim for their former company.
Months later, the CFO has herself become the victim of a false unemployment claim. Galeski is still trying to run down the unemployment debit card. And he spends any spare time urging people to protect themselves in advance. “I’ve probably got well over 100 hours of my time in this,” he says. “Yeah, it’s a pain in the neck. Yeah, it’s gonna ruin your whole night. But sit there, have a couple of drinks, and do it, ’cause it beats 100 hours of work closing the gate after the horse gets out.” He pauses. “I’m a pretty optimistic person, and I try not to be skeptical, but doggone.”
The white-collar crime specialist who helped Galeski through his nightmare is Supervisory Special Agent Josh Morrill. Since March, he has overseen massive caseloads: attempts to steal economic stimulus money, Payroll Protection money, Economic Injury Disaster Loans, and unemployment insurance fattened by the $600 COVID bonus. Unfortunately, all the right impulses—to prevent contagion by letting people file online, to streamline the process, to hurry the money to those who needed it—played into the hands of thieves. “Because of the pandemic,” Morrill says, “a lot of states tried to aggressively pursue the ability to file claims online, and that also opened the door for bad actors to falsely apply.”
Some scams moved in waves across the country, but because the masterminds are tough to locate, it was hard to know whether the same person was behind similar scams or criminals are just copying one another. The FBI believes that many of the attempts originated overseas. “The biggest sign is how they are attempting to move the money,” Morrill says, “through what we refer to as a money mule network.” People are duped—with soft words of love or promises of lucrative work from home gigs—into helping launder the cash. (When the bait is romance, victims often end up forking over their own savings as well as forwarding money to different accounts.)
The mule network is far more sophisticated than you might guess, Morrill says: “Victims often think it’s point A to point B and we just go hunt down their money at point B. The reality is that oftentimes that money is moved numerous times, with maybe three or four mules in the U.S. and one in another country before it reaches the destination country. We need a search warrant for each one”—and once the money leaves the U.S., the FBI can’t even get a warrant. That’s why the coordinated efforts of IC3 are so important, he says, gathering bits of data from scams all over the country to detect patterns and countries of origin. “Then we can have an in-depth conversation with that country: ‘You have a criminal enterprise here that has targeted 200 victims in the U.S., and we need to stop it.’”
The schemes have deepened and matured since the days of the Nigerian prince who needed your help to secure his millions. “They know they’re much more likely to actually get more money if they take more time and invest in the victim they’re targeting, grooming them,” Morrill says. One of those handsome humanitarian widowers on Facebook will just happen to have the same interests they have detected by cyberstalking you, and all those lovely romantic meet-cute coincidences will build an emotional connection—and reveal more and more points of vulnerability.
You can’t assume that the lure will be romance or a cool job, either. “The scams are constantly evolving,” Morrill says, his voice tight. “Secret shopper, threats from law enforcement, threats from the IRS, someone pretending to be a family member or someone you went to college with—it’s endless. They’re smart.” They’re also powerfully motivated to study and master their craft. For the scammers overseas, this is often their full-time job—and a single swindle can equal the average annual salary in their country.
The perps can be wholesome U.S. citizens, too. A guy named one of Florida’s high school basketball coaches of the year was arrested and charged with fraudulently obtaining almost $1 million in a forgivable Paycheck Protection Program loan. An NFL player, also in Florida, was charged with participating in a scheme to steal more than $24 million in PPP loans. A husband and wife were arrested at John F. Kennedy International Airport, attempting to flee to Poland after setting up shell companies and snagging $1.4 million in PPP loans.
How do criminals gather up enough bits of your identity to impersonate you and intercept your unemployment insurance? They buy it online; troll previous data breaches; hack into computers; cold call using impersonation scams; do email phishing; or steal data from third parties, public websites, and social media accounts...for a start. Often their victims don’t know they’ve been targeted until they try to file their own claim—or receive a 1099-6 from the IRS.
Morrill has spent close to a year fighting to repair damage done in a time of panic and crisis. All too often, he has heartbreaking conversations in which he has to tell someone there’s no way to get the money back; it’s long gone and overseas.
You might want to take a break here, read something about the many acts of heroic sacrifice and altruism that have warmed people’s hearts during this pandemic. Without that counterweight, the sheer number and opportunistic meanness of disaster scams can undermine one’s faith in human nature.
Maybe to overseas perpetrators, victims are sufficiently remote. But here at home, a lot of fraud can be traced to what’s called the “dark triad” of personality disorders. The opposite of cooperative and compassionate, people who fall somewhere within this triad are labeled narcissists, Machiavellians, and psychopaths. When their temperament coincides with criminal tendencies, these people flock to disasters, because the pickings are easy. Disasters make people anxious, vulnerable, eager to help. After 9/11, fraud losses totaled at least $2.5 million, and some estimates are as high as $4 million. Scams from Hurricane Katrina are still being uncovered.
Even professional accountants are paying attention to the dark triad these days, noting that for these personalities, “only opportunity may be necessary to commit fraud.” They are “temperamentally predisposed to be calculating, conniving, and deceptive, using other people as stepping stones to reach their goals,” notes an article in The CPA Journal.
Though the three categories are distinct, they often overlap, and each brings certain aptitudes to fraud. Narcissists are grandiose enough to believe they can get away with an elaborate scam, and they are untroubled by empathy for their victims. Machiavellians are adroit when scheming and manipulating others’ emotions. And psychopaths?
A 2012 article in the Law Enforcement Bulletin called psychopathy “the most important forensic concept of the 21st century.” Antisocial and relentlessly selfish, psychopaths “act in a cold-blooded manner, using those around them as pawns,” the authors noted. They understand the difference between right and wrong, but it does not inhibit them. (Nor are they likely to feel even a twinge of remorse when, say, cheating people of their life savings or fooling them into thinking they have a deadly disease.) “The reactions of psychopaths to the damage they inflict most likely will be cool indifference and a sense of power, pleasure, or smug satisfaction.”
If all of the COVID scams were purely financial, they could at least be written off as rapacious, amoral, opportunistic greed. But the FBI’s Crimes Against Children squad has also seen troubling increases during the pandemic, and only a few of those cases have a profit motive. The rest are driven by compulsive or sadistic need, and they do permanent damage to their victims.
A 31-year-old man met a 14-year-old girl on social media and drove from Arkansas to pick her up at her house in St. Louis County. He drove her to a truck stop a few miles away and raped her. The FBI had already been alerted.
“We get involved with missing children very quickly,” explains Special Agent Daniel Root, “because if they are killed, it’s usually within the first three hours. Whenever a child ‘of tender years’ goes missing, we canvass, look for footage and social media, trace phone numbers.”
In this case, though, the guy drove her back to her neighborhood—where her dad and the police were already out in force, canvassing for her. The charges were forcible rape and interstate transportation.
Root explains that the incidences of other crimes have increased, including child exploitation, sextortion (capitalizing on a naïve kid’s shame to extract money or coerce sexual behavior), and some types of human trafficking. Opportunities shot up because kids were stuck home on their computers.
“I have 60 cases on my caseload right now,” Root says grimly. There has been an increase “between twofold and threefold” in child exploitation, which is anything related to child sexual abuse material—what used to be called child pornography. “There are three ways to exploit,” Root says. “By possessing the material, trading it, or producing it.”
Producers will go on Snapchat or Instagram and pretend to be, say, a 13-year-old. Some kids will instantly send back a naked photo of themselves because they crave the validation, or because they’re promised an iPhone or a gift card or JUUL pods or a car. Some kids are groomed over time, told to perform a certain act on video. Some are abused in person and filmed or photographed. “I see the same thing over and over in these chats,” Root says. “‘Oh, I’m ugly.’ ‘No, you are beautiful! Do this. Take a photo.’”
When agents learn of a victim and check the perpetrator’s computer, they usually find about 30 other kids he’s talking to. But the kids don’t always want to part with the illusion. “Teenagers can be some of the most challenging victims to work with,” sighs Root. “They will tell you to go pound sand—and not so politely. They feel like that person is the one protecting them and validating them, not their parents or the FBI.
“We’ve also seen a big uptick in a classic sextortion scam, usually by someone overseas,” explains Root. “We see a lot of it from the Ivory Coast. Someone will have, say, a video of a woman and say to a teenage boy, ‘Hey, let’s video chat.’ Then they’ll play the video and come up with some excuse like ‘My mic doesn’t work,’ and meanwhile be recording the whole thing. The kid might expose himself. As soon as the video finishes, they say, ‘I have this video of you; send me $1,000 in gift cards.’ That scam is just to make money.”
I ask Morrill for his personal feelings about the people exploiting a pandemic.
“Oh man,” he says, pulled back from his official warnings and stats. “Nothing you can put in print.”
PROTECT YOUR IDENTITY
1. Monitor or lock down your credit. Ask all your financial services for the highest level of cybersecurity possible. Set up text alerts for your bank and credit cards. Reduce the amount of information about you that’s available online.
2. The minute you learn you’ve been the victim of an online scam, contact your bank. Then go to IC3.gov and file a complaint with the FBI.
3. If someone offers to apply for a loan for you for a small fee, do due diligence. Make sure the information is truthful and accurate because that application will be under your name.
4. From Paul Galeski: “Don’t adapt the strategy of hoping you are the last to be attacked.”
PROTECT YOUR MONEY
1. If you receive a link to an established organization, don’t click on it; find your own way to the actual public health or CDC or WHO site. And type carefully: Spoof sites have been created with subtle differences.
2. In calls from charities, someone trying to rush or pressure you is a red flag. Also, you can’t always trust your Caller ID—scammers could be spoofing the name of a genuine charity you do trust.
3. Remember: Hackers can break into a network, commandeer an email account, and send messages that look like they came from a trusted friend or colleague.
4. If you are asked to move money for somebody—or equipment, technology, anything of value—beware.
PROTECT YOUR CHILD
1. “Spend more time telling your kids there are no secrets,” urges Special Agent Daniel Root. “They need to feel safe talking to you.’”
2. MissingKids.org has a netsmartz section with a guide for talking to your children about the dangers of sexting.
3. Remind your kids, “Someone may act like they have all the power, but you are the one in control. And you’re not alone. You will not be in trouble if you speak up. You don’t have to handle this all by yourself.”
4. Stay aware of where, in cyberspace, your kids are. Research shows 22 percent of teens logging on to their favorite social media more than 10 times a day and half of younger children logging on more than once a day.
