Criminals and other malicious actors often seek to capitalize on world events for their gain. Some criminals are leveraging heightened interest in the Coronavirus Disease 2019 (COVID-19) pandemic to take advantage of individuals and organizations.¹ Officials have cautioned about a host of scams and other criminal activity relating to the pandemic. These range from criminals claiming to be from a charitable organization or government agency and tricking individuals into providing money or personally identifiable information (PII) to fraudsters selling bogus or counterfeit treatments for COVID-19 or personal protective equipment (PPE) and medical devices that may or may not be delivered after victims submit payment.² The Federal Bureau of Investigation (FBI) noted that "as of May 28, 2020, the Internet Crime Complaint Center (IC3) received nearly the same amount of complaints in 2020 (about 320,000) as they had for the entirety of 2019 (about 400,000). Approximately 75% of these complaints are frauds and swindles."³ In addition, the Federal Trade Commission (FTC) received more than 134,100 complaints (approximately 69,600 of which were specific to fraud) related to the COVID-19 pandemic, including the loss of over $87 million to fraud, in the first six and a half months of 2020.⁴

On March 16, 2020, Attorney General William Barr issued a memorandum to U.S. Attorney's Offices regarding the Department of Justice's (DOJ's) COVID-19-related enforcement priorities. The memorandum stated that "[e]very U.S. Attorney's Office is thus hereby directed to prioritize the detection, investigation, and prosecution of all criminal conduct related to the current pandemic."⁵ Less than one week later, DOJ announced its first enforcement action against COVID-19 fraudsters. In doing so, the department alleged that the website "coronavirusmedicalkit.com" was claiming to provide consumers with access to World Health Organization (WHO) coronavirus vaccine kits if they provided their credit card information to pay for shipping.⁶

This report provides a brief overview of the types of scams criminals may use to steal money and PII from individuals and businesses. The report also discusses federal law enforcement's role—specifically, DOJ's role—in investigating and prosecuting these scams. Congress, in examining DOJ's priorities going forward, may look to the resources DOJ has placed toward countering fraud more broadly, and toward specific nefarious activity capitalizing on the COVID-19 pandemic.

COVID-19 Scams

Generally, fraud is a profit-driven crime. Fraudsters may attempt to scam victims—individuals and organizations, including government programs—out of money directly or steal victims' personal information to profit in other ways. COVID-19-related fraud is no different.⁷ While this section presents examples of COVID-19-related scams, it is not meant to be representative of the full spectrum of scams and tools criminals are utilizing to take advantage of the pandemic.

Scamming Victims Out of Money Directly

Fraudsters have used a number of scams to prey on public interest in the COVID-19 pandemic. People seek up-to-date information about the disease, attempt to purchase PPE such as masks, want to learn about or purchase preventive treatments or potential cures, and try to support front line workers and charities that deliver much-needed resources. The following are examples of how fraudsters take advantage of the pandemic.

• Swindlers have tried to sell counterfeit drugs and medical equipment or have pretended to sell PPE such as masks that are never delivered, scamming buyers out of money and potentially endangering lives. For example, DOJ arrested two individuals who tried to scam victims out of more than $4 million by falsely representing the legitimacy of their company and purporting to sell boxes of PPE; the boxes were empty, and law enforcement disrupted the scheme before victims lost their money.⁸
• DOJ filed a civil forfeiture complaint against several PayPal accounts associated with fraudulent websites. These websites were run by individuals in China purporting to sell masks; some victims never received anything, and others received alternate, nonmedical items such as toys or jewelry.⁹
• Law enforcement and consumer protection agencies have warned against scammers masquerading as charitable organizations addressing the pandemic.¹⁰ The FBI has reported that "law enforcement has seen an increase in social media scams and telephone calls fraudulently seeking donations for illegitimate or non-existent charitable organizations requesting victims' bank account information."¹¹ The FBI has also worked with private sector internet domain providers and registrars to disrupt fraudsters, including taking down malicious websites such as one pretending to collect donations for American Red Cross COVID-19 relief efforts.¹²

Leveraging Stolen Personal Information

Criminals who steal victims' PII can use it to gain access to victims' existing accounts or establish new accounts that can be used for profit. For instance, scammers have tried to use stolen PII to redirect unemployment benefits and economic impact payments (EIP) provided pursuant to the Coronavirus Aid, Relief, and Economic Security Act (CARES Act; P.L. 116-136). The Identity Theft Resource Center (ITRC) reports an uptick in queries related to COVID-19 fraud and that traffic to the center was 850% higher in March 2020 than in March 2019.¹³ Fraudsters may use a number of tactics, including phone calls or email phishing¹⁴ schemes in which they pretend to be a representative of a legitimate organization, to try and steal PII that they can then leverage to their advantage. The following are examples of how fraudsters have used interest in the pandemic to steal PII.

• Hackers have preyed upon public interest in mapping the spread of COVID-19. In one scheme, they sold a malware¹⁵ infection kit to fraudsters who used an interactive map of COVID-19 cases produced by Johns Hopkins University to infect computers with malware. This malware was designed to steal passwords such that when unsuspecting users clicked on the map for information, their devices would become infected.¹⁶ It is believed that hackers used the AZORult malware, "one of the most commonly bought and sold stealers in Russian [cybercrime] forums."¹⁷
• Thieves have used stolen PII to set up fraudulent accounts on the IRS website, and those who previously stole victims' PII and filed taxes using a stolen identity may also be able to receive the EIPs allocated to those individuals as part of the CARES Act.¹⁸
• DOJ has indicted individuals for attempting to defraud the government by filing false loan applications in attempts to receive forgivable Paycheck Protection Program (PPP) loans pursuant to the CARES Act. Some tried to swindle the government out of millions of dollars in loan money by falsifying business information.¹⁹
• Fraudsters have taken advantage of the surge in unemployment claims and have used stolen PII to receive unemployment benefits. For example, the Secret Service issued an alert noting that a "well-organized Nigerian crime ring is exploiting the COVID-19 crisis by committing large-scale fraud against multiple state unemployment insurance programs, with potential losses in the hundreds of millions of dollars."²⁰ These criminals are reportedly using stolen PII to apply for state unemployment benefits and then relying on money mules, intermediaries often recruited through online romance scams, to receive the illicit money and forward it to them.²¹
• Law enforcement has received reports of scammers offering COVID-19 testing services in order to get Medicare beneficiary information, which they can then use to submit fraudulent medical claims for reimbursement—related or unrelated to COVID-19.²²

While the pandemic may have presented new opportunities for criminals to leverage, fraudsters still rely upon a number of tried-and-true tools to scam victims or gain access to information, accounts, and resources. For instance, they continue to make robocalls, phish for information through emails and social media, install malware on unsuspecting users' devices, and exploit technology vulnerabilities. These scams generally seem to have a cyber component in that they are carried out or facilitated by the internet and evolving technology. In addition, criminals leverage both the surface web and dark web to facilitate these schemes.

Department of Justice Response

With the proliferation of COVID-19 related scams, DOJ has established several specific mechanisms to coordinate efforts to combat them. For instance, DOJ has directed the public to report COVID-19-related scams to the National Center for Disaster Fraud (NCDF), within DOJ's Criminal Division. The NCDF's mission is to "improve and further the detection, prevention, investigation, and prosecution of fraud related to natural and man-made disasters, and to advocate for the victims of such fraud."²⁷ The FBI points potential victims to several reporting systems, including the NCDF and the Internet Crime Complaint Center (IC3), and to reporting directly to the bureau through its tip line or local FBI field offices.²⁸ Federal law enforcement therefore has a number of pathways to receive information about COVID-19-related scams. As Congress examines federal law enforcement's response to the pandemic, policymakers may look to these different pathways to see if they are sufficient to ensure that the full spectrum of reports are being received and that there are means to establish clear jurisdiction over particular crimes.

In addition to providing mechanisms for the public to report information about COVID-19-related scams, DOJ has established several coordinated efforts to counter criminal activity associated with the pandemic. For example,

• the Attorney General requested that each U.S. Attorney's Office establish a Coronavirus Coordinator to serve as a legal counsel for the federal judicial district on COVID-19-related matters, prosecute or aid in the prosecution of COVID-19-related cases, and conduct public awareness and outreach activities regarding COVID-19³⁴;
• the FBI has formed—along with DOJ's Fraud Section and the Small Business Administration's Inspector General—a Paycheck Protection Program (PPP) Working Group to counter fraud against the program. The FBI reported that the working group had identified over $42 million in potential fraud and recovered over $900,000 as of early June 2020³⁵; and
• DOJ's Criminal Division has "engaged in outreach to agencies tasked with implementing and overseeing CARES Act funds to design programs to detect and deter fraudulent conduct in the first instance. They are also coordinating with investigative agencies to identify key indicia of COVID-19/CARES Act related fraud schemes and to make sure information about emerging patterns and practices of fraudsters are shared across the relevant law enforcement community."³⁶

In addition to establishing new efforts to counter COVID-19-related fraud, DOJ can leverage its existing tools to target scammers. As officials have noted, fraud related to COVID-19 is often cyber-enabled in some form³⁷; the section below focuses on DOJ's role in countering cybercrime, including fraud.

DOJ's Role in Countering Cybercrime

Federal law enforcement has the principal role in investigating and attributing cyber incidents to specific perpetrators, and this responsibility has been established within the broader framework of federal cyber incident response. In a 2016 Presidential Policy Directive, the Obama Administration outlined how the government responds to significant cyber incidents—those that are "likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people."³⁸ Responding to cyber incidents involves (1) threat response, (2) asset response, and (3) intelligence support. DOJ, through the FBI and National Cyber Investigative Joint Task Force (NCIJTF), is the designated lead on threat response.³⁹ Threat response involves

conducting appropriate law enforcement and national security investigative activity at the affected entity's site; collecting evidence and gathering intelligence; providing attribution; linking related incidents; identifying additional affected entities; identifying threat pursuit and disruption opportunities; developing and executing courses of action to mitigate the immediate threat; and facilitating information sharing and operational coordination with asset response.⁴⁰

FBI Cyber Investigations

The FBI pursues cybercrime cases ranging from computer hacking and intellectual property rights violations to child exploitation, fraud, and identity theft. Its top priorities involve combating computer and network intrusions and investigating ransomware. The FBI's cyber priorities focus on "high-level intrusions by state-sponsored hackers, global organized crime syndicates, and other technically sophisticated and dangerous actors."⁴⁵ It is unclear which portion of COVID-19 related scams might fall under these priorities.

The FBI leads a variety of law enforcement task forces and partnerships focused on cyber threat response.

• National Cyber Investigative Joint Task Force (NCIJTF). The NCIJTF was established by National Security Presidential Directive-54/Homeland Security Presidential Directive-23 in January 2008. As established, the NCIJTF's mission is to "serve as a multi-agency national focal point for coordinating, integrating, and sharing pertinent information related to cyber threat investigations."⁴⁶ Led by the FBI, the NCIJTF coordinates over 20 U.S. agencies including law enforcement, intelligence, and the military. It also collaborates with the private sector and international partners.
• Cyber Task Forces (CTFs). There is a CTF at each FBI field office. These CTFs focus on local cybersecurity threats, respond to incidents, and maintain relationships with companies and institutions. They also support the national effort to combat cybercrime by participating in national virtual teams on certain cyber issues and providing cyber subject matter experts or surge capability outside of their field office jurisdiction, when needed.⁴⁷
• Cyber Action Teams (CATs). In 2006, the FBI established CATs of agents and computer scientists that can be rapidly deployed around the country or the world to assist in computer-intrusion investigations. CAT members have expertise in various computer languages, forensic investigations, and analysis of malware.⁴⁸
• Cyber Assistant Legal Attachés (ALATs). In addition to domestic field offices pursuing international leads in investigations, the FBI has positioned cyber ALATs in some foreign countries. These ALATs work with law enforcement in host countries to share information, collaborate on investigations, and enhance relationships with partner agencies. They focus on "identifying, disrupting, and dismantling cyber threat actors and organizations."⁴⁹
• Private Sector Partnerships. In addition to the IC3, the FBI has established several initiatives to interface with the private sector and general public regarding cyber incidents. Through these initiatives, the FBI collects and shares information, builds partnerships, and enhances awareness. For instance, the National Cyber-Forensics and Training Alliance (NCFTA) is a nonprofit information-sharing organization that brings together subject matter experts from law enforcement, the private sector, and academia to target cybercrime; it produces unclassified intelligence assessments and develops strategies to mitigate cyber threats.⁵⁰ In addition, InfraGard is a collaboration between the FBI and private sector partners such as business executives, entrepreneurs, computer professionals, academia, the military, law enforcement, and other government officials; the program facilitates information sharing with the goal of protecting U.S. critical infrastructure.⁵¹

A Broad Federal Response

Federal agencies involved in countering COVID-19-related scams are not limited to those within DOJ. DOJ investigates and prosecutes fraud and provides consumer awareness, but federal efforts to counter these scams include agencies in other departments as well. For instance, within the Department of Homeland Security (DHS), U.S. Immigration and Customs Enforcement Homeland Security Investigations (ICE HSI) launched Operation Stolen Promise to bring together the agency's "expertise in global trade investigations, financial fraud and cyber investigations with robust private and public partnerships to disrupt and dismantle this criminal activity [COVID-19 related fraud] and strengthen global supply-chain security."⁵² In addition, ICE HSI works with U.S. Customs and Border Protection (CBP) to prevent smugglers from bringing "fraudulent, mislabeled, and unauthorized COVID-19 related products, such as purported anti-viral products, [PPE], and test kits" into the United States.⁵³ Further, the U.S. Secret Service and its electronic and financial crimes task forces investigate cyber-enabled financial crimes related to the pandemic. The Secret Service, like other federal law enforcement agencies, is also working on task forces specifically designed to counter pandemic-related fraud and conducting outreach with industry partners.⁵⁴

In addition to investigating and prosecuting fraudsters exploiting the pandemic, federal agencies enhance public awareness of potential scams.⁵⁵ The Cybersecurity and Infrastructure Security Agency and FTC, for instance, provide tips to organizations and individuals on avoiding a range of pandemic-related scams. Other agencies provide awareness on industry-specific scams. For example, the Department of Health and Human Services provides awareness on testing, treatment, and Medicare-related scams; the Treasury Department's Inspector General warns about tax-related fraud; and the Social Security Administration warns about scams related to Social Security benefits.

Efforts from DOJ and other entities to counter COVID-19-related fraud involve both prevention (e.g., awareness campaigns) and response (e.g., investigations) activities. As policymakers examine the federal government's efforts to stop these scams, they may question the potential effects of agencies' investments in both prevention and response activities on reducing the prevalence and impacts of pandemic-related fraud. Relatedly, they may look to how the agencies themselves are evaluating the effects of the resources they have placed toward countering these scams.