Since 1 February, the national fraud monitoring organisation, Action Fraud, has received 105 reports of coronavirus-related scams, most of them online, with losses totalling some £970,000. And that’s just the tip of the iceberg.

“Virtually every cybercriminal has now pivoted to using some pandemic-related content,” says Ian Thornton-Trump, chief information security officer at online security firm Cyjax.

These scams involve a variety of tactics – from phishing emails, through which fraudsters try to obtain banking details, to the use of ransomware, where criminals threaten to destroy or leak a firm’s data unless they are paid large sums.

Many SMEs are vulnerable because their IT security isn’t strong enough to cope with staff working remotely. “Employees and managers worried about the loss of income during the lockdown may make hasty decisions without proper approval of colleagues,” says Matt Horan, security director at C3IA Solutions, which specialises in IT security for small firms. And these hasty decisions may lead them to click on fake emails promising tax refunds or offers of investment, for example.

Here’s a rundown of some of the coronavirus-themed online scams you might encounter.

Since 1 February, the national fraud monitoring organisation, Action Fraud, has received 105 reports of coronavirus-related scams, most of them online, with losses totalling some £970,000. And that’s just the tip of the iceberg.

“Virtually every cybercriminal has now pivoted to using some pandemic-related content,” says Ian Thornton-Trump, chief information security officer at online security firm Cyjax.

These scams involve a variety of tactics – from phishing emails, through which fraudsters try to obtain banking details, to the use of ransomware, where criminals threaten to destroy or leak a firm’s data unless they are paid large sums.

Many SMEs are vulnerable because their IT security isn’t strong enough to cope with staff working remotely. “Employees and managers worried about the loss of income during the lockdown may make hasty decisions without proper approval of colleagues,” says Matt Horan, security director at C3IA Solutions, which specialises in IT security for small firms. And these hasty decisions may lead them to click on fake emails promising tax refunds or offers of investment, for example.

Here’s a rundown of some of the coronavirus-themed online scams you might encounter.

Reports have emerged of fraudsters pretending to be HMRC and the DVLA to offer refunds on income and road tax, using authentic-looking emails displaying genuine logos. “But they’re phishing for things like your national insurance number, bank account and other details,” says Matt Horan.

Risk-solutions provider Kroll has reported a rapid rise in fake websites asking for charitable donations for those affected by coronavirus. Kroll strongly recommends that contributions are made only through known or thoroughly vetted charitable organisations.

Be aware, too, of emails supposedly from clients or suppliers altering their invoice details, such as account numbers. They may well be from scammers.

Although your firm should certainly be beefing up its IT system security at this time, you need to be careful where you source your software. A new strain of ransomware codenamed CoronaVirus has been trumpeted via fake websites and sold as WiseCleaner, a legitimate software tool that can be used to clean up junk files from computer systems. Always purchase any security software from a reputable supplier.

If you want to protect your staff from the actual virus, as well as a computer one, be wary of websites selling safety products, such as hand sanitiser and face masks. Some may turn out to be counterfeit and substandard; others may take your money and fail to supply the products. According to the National Fraud Intelligence Bureau, one crime victim lost £15,000 after placing an order for face masks that were never delivered. But plenty more customers lost fairly small sums that added up to a big pay day for fraudsters.

“These low-level scams rely on the fact that, if people just lose £10, say, they’ll write it off and not report it to the police,” says Andrew Beckett, managing director and EMEA cyber-risk practice lead at Kroll.

As more and more people work from home, the use of online conferencing services has become the norm.

But these apps are now being targeted by fraudsters. According to security researchers in the US, an estimated 1,700 new domain names containing the word “zoom” have been created since January in an attempt to cash in on the popularity of the online conferencing app. Many of these are fake sites that impersonate the real thing to harvest company security information.

We asked experts, including Action Fraud and the National Cyber Security Centre, for the best ways to keep online criminals at bay.

• Give your staff guidance on spotting scam emails and websites, such as looking out for poor grammar, email addresses that don’t match those on official websites, or lack of personalisation.
• Maintain your IT security standards while working remotely. “Remind staff gently that, even while they are working at home, all the usual IT policies are applicable,” says Ian Thornton-Trump. Also, encourage them to report security breaches as quickly as possible but avoid creating a blame culture.
• Make sure all staff have strong login passwords, consisting of a mixture of numbers, letters and symbols.
• If possible, connect workers to servers and desktops via a virtual private network (VPN), accessed using special codes.
• Regularly back up data, both online and offline.
• Ensure your security software and system monitors are up to date – and that alert notifications are visible from home. Run frequent virus checks.
• Invoices, payment mandates, and other sensitive information should only be accessible to staff who really need it. Where possible, payments should be signed off by two people before being sent. Double-check with a client or supplier if you get an email saying their payment details have changed. Don’t give out financial details, such as your banking password, to anyone contacting you out of the blue.
• Use OneDrive, Dropbox or Google Drive for file transfers, rather than email attachments.
• Websites such as Haveibeenpwned  are a quick, cheap way to discover if your email has been compromised. But consider asking cyber-security consultants for help on security best practice and constructing an incident-management plan.
• If you are experiencing a live incident, call Action Fraud immediately on 0300 123 2040.

For more information on protecting your business from cyber threats, follow Royal Bank of Scotland’s business security guidance .