VERISK EXPERTS TALK COVID-19

The Spread of Coronavirus-Related Consumer Fraud

  • SEASON 1 EPISODE 4
  • May 20, 2020

Dan Frechtling, president of Verisk Financial G2, discusses the rampant uptick in coronavirus malware and scam campaigns since the outbreak began and what’s being done to help protect businesses and consumers.

Related Article: Dramatic Rise in COVID-19 Related Scams

Dan Frechtling

Dan Frechtling is president of G2, a Verisk Financial business. For 16 years, G2 has been the world leader in merchant onboarding and monitoring, helping clients eliminate prohibited commerce and other forms of merchant risk from their portfolios. Under his leadership, G2 enables clients to uncover millions of merchant violations, including drugs, illegal medicines, IP theft, gambling, violence, and child exploitation.

Doug Topken: Hello, I'm Doug Topken, host of the new Verisk podcast series on business issues related to the COVID-19 pandemic. In today's podcast, we'll be discussing the rampant uptick in coronavirus malware and scam campaigns, since the outbreak began, and what's being done to protect businesses and consumers. With me today is Dan Frechtling, president of Verisk G2. Thanks for speaking with us today, Dan. Let's start with the big picture, just how big is the problem and how quickly has it grown?

Dan Frechtling: It's great to be here, Doug, thank you very much. You know, if you were to plot a line representing the number of COVID-19 cases over time that line that shows the growth in related misconduct the problem you're talking about roughly follows the same curve. And G2 has been tracking COVID related fraud, really since before the epidemic became a pandemic in early February. One area that we look at is newly created domain names that are suspicious. And so that's one indicator. This includes domains that have words like COVID-19 or coronavirus or misspelled variations of those terms or other terms that I'll talk about in a moment, but there are other factors involved to make sure certain domain names are riskier than others, including how closely the characteristics resemble others that are used in various scams, and how they are related to other known bad actors we keep tabs on that. Kind of going back in time, by the end of January, the pioneers if you will of coronavirus commerce registered around 1800 domain names related to the illness. Those were the early days of the pandemic be really quick before then, the disease didn't even have a name yet there were various terms that it went by. And some of those that got involved were opportunists like those that thought they could drop ship masks to meet heavy demand and others were outright fraudsters. They might have been engaged in non delivery schemes, or touting miracle cures, others that were doing that, so, in summary, in January entrepreneurs and bad actors alike were fortune hunting. By the end of February, there are about 6,000 new suspicious coronavirus related domain names that have been created, and there were about 13,000, all in speculative, potentially scam COVID websites. Then things really started to pick up in March, in that point worldwide panic was starting to set in. As you recall, Italy locked down the country, the World Health Organization did declare it a pandemic and the US became the epicenter. And in that month alone there were 89,000 new suspicious domain names related to the coronavirus. So after that spike in April, fortunately, many domain name registrars began to put in protocols to deal with these fraudulent websites, and they used a combination of automated registration filters human analysts and a number of different things to combat abuse, and the numbers really in April fortunately showed that those efforts were working there were approximately 56,000 high risk domain names registered at that point. And that was a total about 153,000 January to March, so if you go back to this curve analogy, we are hopefully flattening the curve of COVID related internet fraud. That's just from the angle of the domain names and a little bit on the website content, but there's more. There's other signals and a real good one is consumer complaints so G2 tracks those consumer complaints from various sources. Those include, in addition to websites scams your text, phone, social media fraud, and by the end of March, there were about 7,800 COVID related scams that were reported to the FTC and that had doubled kind of week on week, and then back to this curve analogy those numbers really ballooned in April by the end of the month or over 27,000 complaints. US consumers reported 20 million in fraud last which is about a median average of $500 per fraud. So that's how we've seen the problem grow in the sort of first quarter and getting into a little bit the second quarter. 

Doug: How does Verisk G2 scan and identify these domains? What sort of tech is involved? Any AI, or natural language processing? Don't give away your secrets, obviously, how do you determine that a site is a scammer versus a legitimate business, even if they are acting, particularly opportunistic? Can you detect price gouging for instance?

Dan: So G2 has been around since 2004, and in the 16 years that we've been doing what we do in ensuring safer, more profitable commerce we've tried a lot of different combinations of technology and analysts and we find it's a combination of machines and minds that works best. So we discover and crawl about three to 4 billion web pages per month and call that our unknown universe we add what we already know about the bad actors on the internet, and in our known universe we combine those two together. And as part of our persistent merchant monitoring solution we're looking at about 30 million merchants per month, there'll be for 400 payments and digital commerce clients around the world, and that number grows and certainly there are more merchants growing these days because of the increase in e-commerce businesses as people are working more from home. G2's data scientists have applied a predictive model to that persistent merchant monitoring, instead of just looking for keywords like we did in the early days, we look at all the words on a website and then we use algorithms and other models to come up with a probability of a website having content violations. And we believe very strongly in minimizing false positives for our clients so our analysts who are highly trained in various content areas, they look at inconclusive report align results, and then feed that back in to the machine learning models to eliminate and prevent false positives in the future. 

So with that, we take the output of those machines minds and then we dynamically score the websites, based on content. That scoring then gets better and more predictive over time so that's that's kind of a general sense of what we do, we found that change detection is an increasingly important module as websites change when many times you can be underwritten and you can look like you are doing one thing and then later on you add prohibited or violative content later so that change detection looks very precisely it's small intervals so we can flag changes, and then includes price changes and so we asked about gouging so we often saw was that initially, the prices might be even with the market and then once the merchants had been reviewed then they would go increase their prices. Others we found the right out of the gates went in with premium pricing and which you might call price gouging when you look at the comparable items from mainland retailers and so we would see 80-160% increases for, you know, in the beginning was toilet paper and it was thermometers and whatever item was scarce at the time we saw the price gouging by among some merchants spike. So that's the kind of information allows our clients to take action when they see that kind of behavior. 

Doug: Wow Dan, it’s now clear to me that we're not just talking about a financial impact or impact on my wallet, but also my health. It's terrifying to consider the possibility that harmful or ineffective drugs are out there, when the health of my family or myself are on the line. Can you expand on that a little bit.

Dan: Yeah, yeah sure. What you're talking about is an area of scams and fraud where even before coronavirus there were very high profit margins, in many cases we've found them to be higher than the sales of recreational drugs. And this is because a lot of what's sold is standard, or falsified when you talk about medicines and pharmaceuticals and supplements. There's non-delivery, there's ID theft. Now that's all stuff that existed before COVID-19. Now you have that and more... you have people at home, they're, they're away from face to face medical treatment. In some cases they're panicked because this is the state we're in right now is a convergence of really a health crisis and an economic crisis... is very stressful. At the same time we see telemedicine, so getting medical advice over the phone or through Zoom increasingly accepted which interests people closer to the kinds of criminal networks that if they're not careful, they'll get wrapped up in, and you've got this all this confusing jargon and new terms going on right now so this has led us to see all kinds of health risks right not just taking a placebo but actually something that can hurt you. We've seen merchants that are trying to profit from colloidal silver or kratom or CBD, which, you know, all these are being pointed as potential treatments to ameliorate coronavirus, and the problems here is this people are in search of markets right these opportunities I've talked about some of these products are marketed to parents for their kids, and as a parent again without medical advice, it's very very dangerous without knowing what other medications that child is taking or how old they are, or how much they weigh the dosages can be missing from these products. So, these are people making money that not only is it defrauding people of of their money right of their funds but it also can have a serious health risk. When you see this every day, it can shake your faith sometimes in the goodness of humanity, until you recognize and appreciate what the frontline health care workers do every day and so playing a role in this in some small fashion is really motivating for us at G2. When we come to do our jobs every day. It's kind of given us a new source of fulfillment to keep commerce safer and really free from merchant bad actors.

Doug: So, so what types of fraudulent activities schemes have you seen popping up? What are the more common ones or ones that we wouldn't even think to imagine?

Dan: Yeah it's it's funny that we're talking about this because in the early days of COVID-19 were just a couple of months ago, and the scams that G2 identified were mostly focused around healthcare related products so early on, almost half of these were face masks and another one third were an assortment of other personal protective equipment like hand sanitizers and gloves. And then, also early on, maybe about 15% were supplements about 5% were test kits. And what was interesting was a little more than half were pop up stores. So these were merchants that not have a history before COVID-19, really really opportunists and then a little less than half for existing businesses that just simply added COVID-19 to help broaden their merchandise their selection. Now we also tracked a significant number of illegal internet pharmacies, and which we identified as belonging to illegal pharmacy networks that were already known to G2. I think it's important to clarify and define what we mean here what is an illegal illegal pharmacy network as opposed to a legal pharmacy network online. So an illegal pharmacy network, it's a connected group of websites that are usually designated illegal for for three reasons or one of three or more than one of three. First is they're facilitating the sale of prescription only drugs, without requiring a prescription. Second, they may facilitate the sale of drugs that are not authorized in the consumers jurisdiction - country to country, there's a lot of variation, and, you know, in the US, the FDA approved gold standard that we look at. And that can differ so shipping those drugs that are not authorized is considered illegal. And then the third and or they wouldn't hold pharmacy licenses in the consumers jurisdiction. So, those are the rules that we use to deem whether a pharmacy network is illegal or legal, and we found them these, these known illegal pharmacy networks were merely adding COVID-19 to already existing platforms they had been using to sell other drugs that were not deemed or not not legal to be sold in that way. But what gets interesting though is when you peel back and look in a little deeper to what kinds of drugs we're talking about here and they follow the news trends. So when certain public and media figures promoted Chloroquine in late March and early April we saw violative Chloroquine content on websites increase, and that actually peaked, the week of April 25, you can actually see the peak, and that was the week when the FDA cautioned against Chloroquine, and then we saw the fraud start to decline. Since then we're starting to see Remdesivir trending as that's been proven to show some effectiveness. So, with the mass market involved in these kinds of scams and the attractiveness to the average consumer the news trends are really dictating the kind of scams that follow. So as we do our work, we also discover not just the active websites but hundreds of domains with names that suggests they intend to sell the medicines I mentioned, but not yet operational and sometimes these are owned by the network's, they could be dormant, to be activated later, or they're owned by affiliate marketers that work with illegal pharmacy networks to drive traffic to them. So it tends to be a very specialized set of services around these legal pharmacy networks. So that was a very big part of the fraudulent activity that you asked about but then again back to this idea of the news cycle right when the US and other governments announced stimulus programs, financial fraud spiked in this included scams where consumers were told to provide personally identifiable information in return for promises of government grants, and then that was later used for identity theft or ploys where they were told they needed to pay penalties because they were delinquent in order to receive the funds from the government in a very similar pattern to what we saw in the financial crisis the Great Recession very similar kinds of patterns, and since the Small Business administration's Paycheck Protection Program PPP program launched, we've seen scams where companies are offered money in a matter of hours, expedited, if they pay a processing fee for that. So, those are some of the major ones some of the interesting ones are fraud related to online puppy sales, but believe it or not, and then you see as people see these main market saturated there are coronavirus advice websites that appear. One prominent example was cyber criminals that spoofed, the UK National Health Service website to trick users into downloading dangerous malware to steal their passwords and credit card data. So all in all, we've reviewed and reported approaching 7,000 COVID-19 related violations on e-commerce sites.

Doug: Wow. So what are regulators have been doing to stop it have any of their efforts help at all?

Dan: I really applaud what regulators are doing, due to tracks government enforcement actions, we're fully aware that regulators are working overtime to shut down COVID related fraud and some of them like everyone else are working out of their homes to do so. In the US, the FDA and FTC have been aggressively pursuing online companies that are making claims about their products treating or preventing COVID-19, and this comes in the form of warning letters the FDA and FTC have issued dozens and continue to issue warning letters to companies allegedly selling unapproved products that violate federal law with deceptive and scientifically unsupported claims about treating coronavirus. On most FDA and FTC warning letters which allow 15 business days for a response, the COVID-19 warning letters, allow the merchants only 48 hours to respond so that's really tight window. The government's demanding immediate action for MLM, or multi level marketing schemes the FTC has issued another several dozen letters on their own, including those two multi level marketing companies that were not making the claims themselves but had their affiliates doing so. In these again around claims that the products and treat or prevent COVID-19, so the FTC is holding multi level marketing operations accountable for the actions of their affiliates. The FTC has also filed a complaint against the owner of a website, which claimed falsely to be an SBA Small Business Administration authorized lender and more in telemarketing warning letters to voice over IP service providers, because they were viewed as to be assisting in facilitating these allegedly illegal coronavirus related telemarketing calls that were part of the financial scam so this is important because it shows the FTC is willing to take action against third parties that are facilitating and that's really what it takes to stop these scams and that's that's often the choke point that regulators look for. So that's the FDA and FTC the Department of Justice has also been working with Internet companies including domain providers and registrar's to shut down fraudulent websites, and the DOJ and these stakeholders have disrupted hundreds of internet domains use to exploit the pandemic to commit fraud and other crimes. So one of these was pretending to solicit and collect donations to the American Red Cross, again, similar to the UK other fraudulent websites that spoof government programs and organizations to trick American citizens into providing personally identifiable information, including banking details. So that's the story of the regulators in the US. The UK, like the US shutting down scammers is really a group effort among enforcement agencies, so the MHRA which is the equivalent of the FDA announced its investigating more than a dozen cases of fake or unlicensed COVID-19 medical products. This includes self testing kits and more miracle cures and anti-viral misting sprays and other unlicensed medicines. So, the agency has disabled domain names and social media accounts to the MHRAs credit, the National Crime agency in the UK arrested two people, one of whom was a pharmacist for allegedly selling fraudulent test kits, and also took down a website that was luring victims into buying suspected PPE personal protective equipment, it was suspected to be non existent. And they use phishing emails to do that. Also the UK is National Cybersecurity Center took down more than 2000 online coronavirus scams and include nearly 500 fake online shops. So, this is what we see, and this is what we're going to plug with the regulators are doing, since it is an ongoing problem, I would like to suggest that if anyone listening does come across fraudulent COVID-19 products in the US, there's an FDA hotline for that, and that's 800-332-1088. And if you're ripped off, you can report that to the FTC, it's got a website called ftccomplaintassistant.gov. So, similar interfaces for regulators in other countries.

Doug: That's really good to know as I myself could be a target of such a scam, I haven't been but I could be a target so thank you for that. So fraudulent activity is a global problem. What about regulators outside the US and UK, what are they doing?

Dan: I'm glad you asked. I only talked about the US, the UK so far but it is a global problem. Regulators worldwide are cracking down, there's a great deal of international cooperation around this, so maybe without surprise because the pandemic started in Asia, when it was still an epidemic the enforcement started there in early February. The Hong Kong Police received hundreds of reports of mask scams and that had an equivalent I think about 580,000 Hong Kong dollars there. By mid February, Singapore Police arrested individuals suspected of using B2C and C2C platforms to engage in face mask scams. Singapore also announced, they'd gotten nearly 90 reports or more than 90 reports on individuals that were complaining about an online company that wasn't delivering purchase masks, and this continued into March. In Singapore active again the Health Sciences authority shut down 1200 product listings with health supplements herbs traditional medicines. So that's one aspect one part of Asia kind of Australasia southern part of Asia, Australia cybersecurity center, they've disrupted hundreds of malicious COVID-19 websites, their telecommunication providers as well as Google and Microsoft are teaming up on this. And of course, China has been part of this as well their enforcement agencies are actively investigating and prosecuting other cases so as I said a lot of this started in Asia, but other European countries are also active. A French pharmaceutical company was defrauded by a man who advertise the fast delivery of surgical masks and hand sanitizers, and we see cooperation across regions EuroPol working with Singapore authorities to block this payment and to arrest the individual involved. Another great example of cross national collaboration is Interpol's operation Pangea which they do every year and this year in early March over 34,000 counterfeit surgical masks were seized by law enforcement so they do this every year they pick the timing well in advance and it was quite fortuitous in retrospect for them to be able to disrupt that. So there's a mix of enforcement in areas all over the world, some of it, country specific and some of it coordinated across countries.

Doug: Right. So let's talk a little bit about the bad actors. Who are these people who are largely the ones behind these scams?

Dan: You know, as I said earlier, the rogue internet pharmacy networks are one really significant actor behind this are their complex global operations include hundreds or even thousands of related websites, and they have been illegally selling prescription drugs via the internet for over 20 years.  Because their criminal opportunists, they're now promoting unproven prescription drugs as COVID-19 cures, so we've also seen these websites selling face masks, which suggests that they may be operating separate PPE websites. So that's one group that I covered earlier. There's other known high risk actors that are crossing the line, and other lawful merchants in high risk categories are are well represented so when I talk about high risk in this sense, generally, these are these are business categories with higher than average chargebacks or categories where merchants tend to skirt the line of legality, and some of these are now crossing these lines for example we discovered a licensed pharmacy in the UK that was otherwise bonafide was registered with the MHRA in the UK displaying the EU common logo is required by law, but they were selling Chloroquine, again we talked about that was sold to consumers in the US, and it appears to be acting illegally in the US because that's not something that you can sell without a prescription, and they were selling it without one. A third category as I mentioned way in the beginning was the opportunists, and these aren't the criminal rings that I've covered earlier this is where it's a bit more of a cottage industry, and often these are non delivery schemes where there's no inventory, people are just taking the money and nothing's shipped and then they're shutting down. I think having said that it is kind of worth mentioning the organized crime is is clearly a part of this, there was a large scale facemask scam that Interpol investigated where, a German Health Authority attempted to purchase a million and a half face masks for an upfront payment of a million and a half Euros, which is a pretty cheap price, I can see why that was attractive, but the scam involved criminals in Germany, Ireland and the Netherlands and the money was ultimately intended to be routed to Nigeria, so Interpol fortunately intervened in that.

Doug: Dan, can you share with us some of the best practices for banks and other payment companies to put into place to avoid inadvertently doing business with these bad actors?

Dan: Well, I think the first thing to do is to recognize that financial institutions, aren't law enforcement, but they're choke points that can be very effective so financial institutions aren't going to arrest anybody. These perpetrators. They're working in anonymity or in remote parts of the world, but financial institutions, banks payment service providers, others other payment companies can work with G2 to to choke off the payments of the bad guys and make it much harder to exploit consumers, and that's where we come in. As for best practices. I'd say the first thing is that as a bank as a provider of financial services you want to start by incorporating COVID-19 related rules and queries into scanning your portfolio, to see if there's any that are already hiding there, but definitely add to merchant and business customer onboarding process so you catch them before they can start taking payments, so that's that's the first best practice. The second one is to employ change detection technologies I mentioned earlier this is important to find changes in business practices, because we've seen during this pandemic three tactics that are abused, and these are the kinds of things that pop up after a business has already been on boarded. The first is pressure, buying methods. There may be prompts that for urgency like hey only two items left, and these are to goad consumers into acting faster than they normally would. There's the price gouging problem that you raised earlier on highly sought but low stock level items such as N95 masks and even hand sanitizers early on. And then of course, as the health regulators around the world have shown us these unsupported health claims are all over the place, and they're added to product descriptions to help move inventory, but they're misrepresenting the effectiveness of the products they're describing. So those two are big ones. A third one is really important a little bit trickier to uncover, and this is transaction laundering. Transaction laundering commonly is used to hide the business accounts that are being used to process payments. And it's very difficult to detect, even in a normal economy – in this chaotic environment with merchant behavior changing transaction patterns changing new merchants popping up new merchants going away. It makes it even harder. Transaction laundering consists of front sites and in violating sites so these front sites are, say for example, vitamin stores or boutiques, or gift shops online or even business consulting, they appear innocuous and they're used to apply for merchant accounts, and often these front sites are not actually active websites, so if you try to order products from them the site isn't going to work. There are other signs that these front sites are fake. There might be text that's copied from other e-commerce sites or shopping carts that don't work, and sometimes these are affiliate sites too. They're very thinly developed sites and they refer traffic to the anchor sites that are processing the payments, but those front sites, and the violating sites work together synergistically the front sites, enable access to the payment system. The violating sites attract the consumers, the consumers have no idea where the transactions are flowing through, and then the payment providers have no idea that the front sites are connected the violating behavior so it's very thorny problem. So, from this you're G2 technologies and analysts, we've mapped out criminal affiliate networks we have databases of who these actors are because they tend to operate in packs, they tend to operate in sequels, they don't really go away, they're just terminated, until another day. And so we found our transaction laundering program really effective to further assist payment processors in their efforts to terminate illicit merchant accounts.

Doug: Well, thank you, Dan. it seems it unfortunately malware and fraudulent schemes are spreading as fast as the virus itself and trying to take advantage of that situation.

Thanks for sharing your insights with us today. We appreciate you taking the time to join us for this podcast. To learn more on this and other COVID-19 related topics, be sure to follow us, and visit Verisk.com. We hope you've enjoyed this podcast and invite you to join us again. Until next time, stay healthy everyone.

Visit the Verisk COVID-19 Resources Page for more information