First, hackers were taking advantage of the global pandemic coronavirus news coronavirus with an email scam that targeted consumers. Now, they are targeting businesses with a new coronavirus business scam.

Just like the last scam, criminals are using the concerns over the outbreak to unleash malware. They are continuing to try and find ways to make money by playing off everyone’s concerns and fears.

This coronavirus business scam is targeting professionals by sending phishing emails that look like a company’s purchase order for facemasks or other supplies that could trick employees into making payments to a fraudulent account. Scammers are also sending phishing emails about a company’s remote-work plan in hopes to get a response that provides personal details.

According to Proofpoint’s analysis cited in an article for the Wall Street Journal, attackers have sent emails containing nearly a dozen types of malware. Some of these emails even include company logos, instructions and attachments.

As long as the coronavirus stays in the headlines, so will the scams. In order to avoid these scams, it is critical that everyone adopt and develop good cybersecurity behaviors and habits. Here are a couple of tips to help you reduce your risk of falling victim to a coronavirus business scam.

  • Never click a link, open an attachment or download a file that you are not expecting. Instead, you should contact the sender to verify its authenticity. If the sender is not someone you regularly interact with, ignore the email. If it is someone you know, still verify the email before you click any links or open any attachments.
  • Do not share or forward emails about the coronavirus unless you have verified its authenticity. They are often alarmist to the point of being hoaxes or contain outdated details. In the case of the coronavirus scam, they contain dangerous links.

It is important to stay up-to-date on all major events. In order to stay on top of the news, go directly to trusted sources like the CDC or World Health Organization for updates and information.

If you believe you have fallen victim to a coronavirus scam, contact the Identity Theft Resource Center toll-free at 888.400.5530 to speak with an expert advisor. You can also live chat with us. Our advisors will help guide you through your case and provide you with the proper resources.


You might also like…

On Thursday, March 4, 2020, T-Mobile disclosed a breach that impacted employees and customers. T-Mobile posted two separate data breach notification letters on their website. The first states that there was a malicious attack against their email vendor that led to unauthorized access to certain T-Mobile employee accounts, some of which contained account information for T-Mobile customers and employees. The second breach notification letter also states there was a malicious attack against their email vendor. However, it says personal information like names, addresses, Social Security numbers, financial account information, government identification numbers, phone numbers and billing account information could have been exposed for some customers and employees.

The U.S. telco is sending out SMS notifications to all impacted users about the T-Mobile breach. Users who just had account data exposed are getting different notifications than those who had sensitive data exposed.

It is not yet known how many employees and customers were affected by the T-Mobile breach. However, the company is recommending to customers that they change their PIN numbers on their T-Mobile accounts. T-Mobile is also offering free credit monitoring and identity theft detective services that are being provided by TransUnion, for those that had sensitive information exposed. Those that have the option to have monitoring will receive a separate letter with details.

In the notification letters, T-Mobile has emphasized how seriously they take the security of every customer and employee, and that they are working to further enhance their security to stay ahead of this type of activity.

While there is nothing you can do to prevent yourself from falling victim to a data breach, there are things you can do to reduce your risk.

  • Be alert for phishing emails by a scammer that acts like they know who you are or that they are a company you do business with. Only respond to emails if you know the recipient or are expecting the email.
  • Keep an eye out for suspicious activity. You can do that by regularly reviewing and monitoring your accounts and credit history for any unauthorized transactions.
  • If you believe you have fallen victim to identity theft, file a police report. You can also contact the Federal Trade Commission or the State Attorney General to learn more about the proper steps to take.

If you believe your information was exposed as part of the T-Mobile breach, the Identity Theft Resource Center urges you to call us toll-free at 888.400.5530 to speak with an expert advisor who can help you create an action plan and tell you who to contact and what to say. You can also live chat with an advisor.

The ITRC also encourages you to download our ID Theft Help App that will allow you to track your case and provide proof of what you have completed, which is more important now than ever with recent data breach settlements requiring victims to provide proof for cash payouts.


You might also like…

A Walgreens data exposure from the company’s mobile app exposed the information of 6,681 customers according to HIPAA Journal. This latest hack is an example of another way your data can be leaked.

Mobile apps are currently one of the retailers’ best tools for engaging customers, developing a loyal following and increasing sales. With these handy smartphone downloads, customers are more likely to return to that place of business and take advantage of special offers that can save them money. Retail apps in certain industries like health and fitness can even make a positive impact on users’ well-being.

The Walgreens pharmacy app, which has had tens of millions of downloads, makes it easy for customers to order their refills, check up on their prescriptions and much more. Unfortunately, a “bug” in the app’s code leaked personal messages that could have contained names, prescription information and some customers’ shipping addresses for app-based orders.

The sample data breach notification letter that Walgreens filed with the state of California stated that the company itself discovered the error in the app. Fortunately, that means the Walgreens data exposure might have been discovered before anyone could use the disclosed information or messages for harm. Walgreens has not issued any examples of what kind of harm could come from the Walgreens data exposure, but they have told patients to monitor their Walgreens accounts and keep tabs on their prescriptions.

It is worth noting that no financial information or permanent identifying information (like Social Security numbers) was exposed as part of the Walgreens data exposure. Also, no health insurance information was compromised. Because of that, no one has to worry about someone ordering prescriptions in a customer’s name.

While this might seem like a minor form of a data breach, it should still serve as a reminder that all of the information we choose to share online or in the cloud could be accessed by someone with the right know-how, or by a faulty piece of code in an app or website. It also highlights the fact that using some of this technology means placing trust in others’ ability to protect that information. If you do not feel confident in how your data will be stored or what information about you will be collected, think twice about downloading or using that technology.


You might also like…

A new PayPal phishing scam is making the rounds that are hard to spot, which emphasizes the importance of using an abundance of caution when you receive a message you are not expecting.

Phishing scams work by tricking people into clicking a link, opening an attachment or redirecting to a website. From there, the scammers might install harmful software on your computer, infect your entire network with a virus, steal your login credentials or other similar tactics. Some phishing scams are much simpler, though, like the infamous Nigerian prince emails that trick people into sending money or paying a fee.

There are two different kinds of phishing scams. Some of them, like the ones that claim the sender needs help getting hundreds of millions of dollars out of the country, can be somewhat unrealistic and filled with grammar errors.

The other kind is more sophisticated. They might contain cut-and-paste corporate logos, copied wording from a real company communication, perhaps a copycat address that could fool savvy consumers. Those phishing attempts are trying to convince the recipient that there is something legitimately wrong with their account, their tax return or some other plausible situation.

A new PayPal phishing scam that pretends to be from PayPal is a good example. This message has a very friendly tone, correct spelling and grammar and even has the company’s image in the message. It informs the recipient that PayPal was unable to process their refund of a high-dollar value amount and to please go to Member Support for assistance. As part of the PayPal phishing scam, the handy link is even provided in the message.

Since the recipient does not remember sending or refunding hundreds of dollars, they might click the link to find out what is going on. That is when the scammers have redirected them to a different site where the consumer will type their login credentials—while the scammers steal that information—and see that it was all a big mistake and nothing is wrong. It is also possible that clicking the link will instead install malicious software like a virus on the user’s computer.

In any event, the same advice as always applies: never click a link, open an attachment, download a file or follow through with any instructions in a message that you were not specifically expecting.

Instead, ignore the message. Simply contact the company yourself using a verified contact method that you looked up, not one that may have been provided in the message (it could lead you right back to the scammers). Once you go to your account or contact customer service, you will discover that everything is fine. On the off chance there really is a problem with your account, you will also be able to fix it right then. The Identity Theft Resource Center is here to help if you believe you are a victim of the new PayPal phishing scam. Call one of our advisors’ toll-free at 888.400.5530. You can also live chat with an advisor. They will walk you through the next steps you need to take.


You might also like…

It seems like there is no end to the ways that hackers can attempt to attack victims. From the loss of funds, lost time from work to handle the matter, even a lost sense of safety and security as reported by victims in the ITRC’s Aftermath report, it can feel like one crisis pops up after another. One victim had to seek help over a whole new kind of identity theft attempt, that being income tax documents from a phone fraud attack that, fortunately, was unsuccessful.

A man in Florida received a phone call that someone had used his identifying information to buy two cell phones at a nationally-known cellular store and racked up a $2,399 debt. He spoke with an agent from the company, explained that he was not the customer—nor did he even have any accounts with that company—and they worked together to resolve the issue. Since identity theft is a widespread and well-documented problem, he thought the phone fraud matter was put to rest.

However, the man then began receiving letters about the two phones and their unpaid bills. He called the company again to explain that this was a case of identity theft. Finally, things came to a head when the man received the most unexpected and unwelcomed surprise: a 1099-C form that he was supposed to include in his income tax filing, claiming the cancelled debt from the fraudulent purchase of the phones as considered income.

How can that be? Easy. Companies can file your unpaid debt with the government as extra income you received. After all, if you owe money to a business but do not pay, you essentially kept that money and therefore it amounts to additional income. The issue is that filing a 1099-C is saying “Yes, this debt is mine and I’m being forgiven” when in reality, this is a case of account fraud and the individual should not have to have the debt reflected on their credit reports for the long-term.

“It’s almost like you’re guilty until you can prove you’re innocent,” said the victim.

What’s so strange in this account fraud case is that it was actually the cellular provider who first contacted the man and said they suspected phone fraud. They were the ones to spot suspicious activity and decided it warranted another look for account fraud. Yet after confirming several times that he was not the one who purchased the phones, they sent him the document for him to claim responsibility.

The identity theft victim eventually reached out to a local news station for help after getting nowhere in resolving the phone fraud case. By shining a larger light on it, a reporter was able to speak with a company representative who said the issue would be corrected by dismissing the case and letting the credit agencies know so that the victim’s credit reports are not impacted.

This event goes to show that there is no such thing as being “safe” from identity theft concerns and that even an old incident can have lasting repercussions. It is also proof that account fraud can happen in many different ways.

Unfortunately, it often falls to the victims to advocate for themselves and make sure that all incidents are handled fully. That is why it is important to keep good records of everyone you have spoken with about an incident, note the dates the conversations took place, keep copies of any documents that you have that can provide a paper trail and even file a police report when you know your identity has been stolen. Try using our free ID Theft Help Case log where you can document the steps you’ve had to take in resolving your account fraud and export to a PDF document.

If you believe you have been a victim of account fraud, or identity theft in general, reach out to the Identity Theft Resource Center for free assistance at 888.400.5530. You can also live chat with us. Our expert advisors will help you create an action plan for your case and point you to who you need to contact and what you need to say.

For on-the-go identity assistance, check out the free ID Theft Help App from ITRC: https://www.idtheftcenter.org/itrcapp/


You might also like…

With graduation just around the corner and college plans already taking shape for a lot of students, this is the time of year when students put in a lot of work in finding sources of financial aid. However, scammers are working just as hard in order to take advantage of students who are trying to spend wisely for higher education with student loan scams. Here are just a few of the ways scammers can put a very expensive damper on your plans.

Scholarship “Finders”

For a hefty fee and access to all of your sensitive information, some notorious sites will claim to seek out scholarships that you are eligible for. The problem is that you still have to do the work of applying for them. So, all this company did was take your money, input your information into a large search database—one that the public can also access for themselves—and send you the results. They literally got paid to do what you could have done for free, only they were hoping you did not know that. This is a classic student loan scam.

“Guaranteed” Acceptance Aid

Any form of financial aid that tells you it is guaranteed is probably a scam. After all, there are a lot of factors at play when it comes to approving requests for financial aid. Your FAFSA form is your first step in filing for financial aid, so start there at FAFSA.gov.

High-Pressure Pitches

Yes, our country is stronger when its young people can access the kinds of educational and work opportunities they desire. However, any company that contacts you relentlessly—whether by email, phone, text or social media ad—has another interest in mind, and that is getting money from you. To avoid a student loan scam, stay away from any website, platform or company that goes with high-pressure, act-now sales pitches.

Loan Erasure Scams

While student loan debt can be a burden for a lot of people, scammers are making it a lot worse. By claiming to offer services that “erase” or forgive your student loans—which are nothing more than government programs that anyone can apply for on their own—scammers take your money in the form of application fees and steal your identifying information. Then they leave you with just as much debt as you had before.

When it comes to student loan scams, a good rule of thumb is to be very wary of anyone who wants your personally identifiable information or who insists on upfront fees. If you do a little bit of homework, you might discover that the company is charging you money for nothing in return. Stay safe this student loan scam season by not falling for the scammer’s tricks.

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Medical data breaches can be some of the most damaging breaches because of the types of personal information that hospitals collect. Combine that with the sensitivity of a child’s personal information and there is a potential for child identity theft – medical and financial. San Diego’s Rady Children’s Hospital is just the latest hospital to suffer a data breach. While the Rady Children’s Hospital data breach did not include Social Security numbers, credit card numbers, radiology images, radiology reports or diagnosis, it did include patient names, gender, and in some instances, dates of birth, medical record numbers, parent/guardian names, descriptions of imaging studies and the names of referring physicians.

The hospital learned of the potential incident on January 3, 2020. After an investigation, it was determined that patient names, gender and date and type imaging studies were accessed without authorization through an internet port between June 20, 2019 and January 3, 2020.

The hospital is notifying the 2,360 patients whose information may have been exposed in the Rady Children’s Hospital data breach and providing them with the steps they can take to protect their personal information. In a press release, the hospital states that any patient or legal guardian who receives a letter should review the steps that are outlined in the letter to protect their personal information. The hospital has also provided a toll-free number for people to call who might have questions about the incident (844.902.2025.)

The Rady Children’s Hospital data breach is an example of how thieves might get the personal information of children. However, there are things that the parents can do to reduce their child’s likelihood of falling victim to identity theft following this data breach.

Some red flags of medical identity theft could include:

  • Calls from collection agencies regarding bills or credit cards in your child’s name
  • Your child is denied government assistance or medical insurance because income or benefits have already been assigned to the child’s Social Security number
  • Receiving a medical bill in your child’s name for treatments/services they never received

Keep a close eye on any accounts that may come up in your child’s name. It is recommended to check your child’s credit report because children should not have a credit report in the first place. If one is discovered, parents/legal guardians need to consider placing a freeze on their account and disputing any suspicious activity. Additionally, because of the types of data available in the breach, the potential of a longtail impact to minors is a very real threat. With key information like parents’ name and date of birth, there could be potential risks for children well after the incident is resolved.

If you believe your child may have been the victim of identity theft or their/your information was exposed from the Rady Children’s Hospital data breach, you can call the Identity Theft Resource Center toll-free at 888.400.5530 to speak with one of our advisors. You can also live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


With the REAL ID deadline approaching in October, it is time to determine if you should replace your current government- issued ID, as well as be aware of any scams that may pop around near the time of the change.

What is a REAL ID?

Fifteen years ago, Congress passed the REAL ID Act, which set a uniform standard for how individual states issue driver’s licenses and state IDs. Prior to the 9/11 attacks, each state determined the requirements on how to prove your identity and address when applying for identity documents. Once the ID was issued, it was automatically valid in all other states. Because the 9/11 hijackers used legal, state-issued IDs in their attacks, the federal government created guidelines to standardize the credentials required to travel by air or enter federal government buildings.

After numerous delays in the 15 years since the law was enacted, U.S. residents must now decide if they need a REAL ID or to keep their current state-government issues ID.

What To Consider

It’s important to consider your circumstances and if you truly need a REAL ID. If you are planning to travel domestically by commercial airline within the United States, you will need the enhanced ID. However, if you are NOT planning to travel within the U.S. by air or enter a federal government building, then your regular state identification card or Driver’s License is still valid. If your license is valid—whether it is a REAL ID or not—you will still be able to use it as a form of identification for activities like writing a check.

Important Steps

There are some important steps in order to obtain a REAL ID in your state, as well as specific documents you must have. Be sure to check with your state’s DMV or state police website in order to find out what you must bring with you. According to the Department of Homeland Security’s Frequently Asked Questions (FAQs), “At a minimum, you must provide documentation showing:  1) Full Legal Name; 2) Date of Birth; 3) Social Security Number; 4) Two Proofs of Address of Principal Residence; and 5) Lawful Status.”

For example, to apply for the REAL ID card in California, you need to present one identity document that includes your date of birth and true full name. That could include:

  • Valid, unexpired U.S. passport or passport card
  • Original or Certified copy of U.S birth certificate (issued by a city, county or state vital statistics office). “Abbreviated” or “Abstract” certificates are NOT accepted
  • U.S. Certificate of Birth Abroad or Consular Report of Birth Abroad of U.S. Citizen
  • Unexpired foreign passport with valid U.S. Visa and approved I-94 form
  • Certified copy of birth certificate from a U.S. Territory
  • Certificate of Naturalization or Certificate of U.S. Citizenship
  • Valid, unexpired Permanent Resident Card
  • Valid, unexpired Employment Authorization Document (EAD) Card (I-766) or valid/expired EAD Card with Notice of Action (I-797 C)
  • Valid/expired Permanent Resident Card with Notice of Action (I-797 C) or Approval Notice (I-797)
  • Unexpired foreign passport stamped “Processed for I-551”
  • Documents reflecting TPS benefit eligibility

Potential Scams

With any change in government processes, scammers will try to take advantage. Be on your guard against fraud and hoaxes with the REAL ID deadline approaching.

For example, you cannot upgrade your license or ID over the phone, you will not be required to pay a fee or fine for not having a REAL ID and you will never be asked for the information on your license.

You will not receive a fine from the police for driving with a license that is not a REAL ID as long as it is valid. Also, you cannot be turned away at a polling place if you are a registered voter.

When in doubt, simply reach out to your local agency that issues REAL IDs for more information.

Data Storage & Protection

Once you are done with the process of applying for your REAL ID, don’t forget about data storage and protection. Important papers like your W-2 form, Social Security Administration card and other documents (even your devices) should never be unattended, even in a locked vehicle. Once you get home, it is also important to lock up your documents in a safe place to keep people—even people you thought you could trust—from accessing it. This could be a locked filing cabinet or firebox.

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

A Department of Defense data breach has exposed the complete identities of potentially multiple high-ranking individuals, emphasizing the importance of businesses increasing their security protocols, and consumers monitoring and freezing their credit reports.

 When hackers break into a computer network, there are varying degrees of harm they can cause depending on what they are able to access. If they are able to install ransomware on the network and lock up the entire system, they might expect a handsome payoff. If they steal a database of customers’ names and emails, they might sell that information to spammers or use it for phishing attacks. However, when hackers manage to get complete identities—meaning names, birthdates, Social Security numbers and more—the possibilities are endless.

Considered a “Holy Grail” of identity theft, a complete record lets the hackers open new lines of credit, submit fraudulent tax returns, apply for government benefits or buy a house. And that is just in the short-term. They can continue using that identity potentially forever, and they can even sell it to other criminals who will do the same thing. The end result can be a never-ending spiral of ongoing identity theft.

Unfortunately, a 2019 Department of Defense data breach has exposed the complete identities of an undisclosed number of people. The real concern is the specific agency in question: the Defense Information Systems Agency, or DISA, which handles IT support and all secure communications for the President, the Vice President and the Secret Service, just to name a few.

The group within the government that is tasked with protecting top-secret communications was infiltrated by hackers, and there is no word yet as to who it was and how much information they accessed. While DISA works on tightening its security protocols and systems, the individuals impacted by the Department of Defense data breach were issued a notification letter of the breach. The usual steps, like free credit monitoring for one year, are in place for those victims. In the meantime, this serves as yet another reminder that we all must be diligent about monitoring our credit reports, placing freezes on our credit reports if we do not need to use our credit soon, keeping our passwords up-to-date and other similar steps.

You might also like…

Updated 7/14/20 – The MGM Data Breach that occurred last summer is much larger than previously thought. According to threatpost, researchers have found 142 million personal details from former guests at the MGM Resorts hotels for sale on the Dark Web. The advertisement lists the guests’ personal details for more than $2,900.

Last summer, MGM Resorts disclosed an MGM data breach that affected around 10 million guests of the hotel company, including some fairly high-profile clients. The data, which included names, addresses, phone numbers and email addresses appears to have not included sensitive things like payment card information or Social Security numbers. However, that does not mean the information is useless, and it certainly has not stopped hackers from posting the stolen data for sale on the Dark Web.

There are a few different reasons why hackers might target a company or website. They might want to steal information, such as in the case of the MGM data breach, or install malicious software on the company’s servers. They might simply want the “credibility” of breaking into a secure site and bragging about it later, or even the ability to protect the public, as in the case of “white hat hackers” who infiltrate a company in order to show them their own defense weaknesses.

In the case of the MGM data breach, the goal seems to have been profit. The database of information—which included records that claim to belong to Justin Bieber, Twitter CEO Jack Dorsey, U.S. government officials and even a Secret Service agent—has now been discovered for sale online.

What can criminals do with this stolen information once they buy it from the hackers? After all, it does not contain any permanent identifiers or financial account records.

The end goal for this kind of sale is to grab up the email accounts and use them for targeted spam. It could be the annoying kind of spam that floods your inbox with ludicrous consumer offers, but it could also be the dangerous kind. For example, if the hacker wants to infiltrate a government computer, they might send an email with an embedded virus to a former guest with a .gov email address. In order to get the recipient to click the link, the email just has to look like it came from MGM Resorts—or another company the person does business with—and offer some plausible reason why the recipient should open the file.

From there, the malicious software, virus or even ransomware can be installed on the victim’s computer, and then the senders can move forward with whatever plan they intend.

In order to protect yourself from this kind of attack, there are some things you can do to be more proactive. No one can prevent every cyberattack, of course, but you can at least try to slow the bad guys down.

  1. Throwaway email account – Establish an email account that you use specifically for things like booking travel, online shopping or even signing up for gaming apps. There is no reason to use your work email or “official” email for those kinds of activities.
  2. Develop good habits – Never click a link, open an attachment or download a file that you were not specifically expecting. Even if it looks like it comes from someone you know or a company you do business with, it could be spoofed and therefore could be harmful.
  3. Stay up to date on data breaches – Any time there is a data breach and you are informed that your information may have been compromised, that should serve as another reminder that a wave of spam or fake emails is coming your way. Be on the lookout for anything unusual and stay away from those embedded dangers.

For more information on data breaches like the MGM data breach and what they could mean to you, go to idtheftcenter.org and check out the free Breach Clarity tool that helps consumers understand their risks and take the proper steps to protect their identity.

You might also like…