Cybercriminals use Hurricane Ian as lure for scams, theft of FEMA funds
Jonathan Greig October 16, 2022

Cybercriminals use Hurricane Ian as lure for scams, theft of FEMA funds

Jonathan Greig

October 16, 2022

Cybercriminals use Hurricane Ian as lure for scams, theft of FEMA funds

Scammers are using the crisis faced by victims of Hurricane Ian to steal government funds and personal information, according to experts at several cybersecurity companies.

Hurricane Ian — the deadliest hurricane to strike the state of Florida since 1935 — directly caused the death of at least 137 people and $67 billion in insured losses. Thousands of people were displaced by the destruction caused by the category 4 hurricane.

But as recovery efforts coalesce, Cofense principal threat advisor Ronnie Tokazowski said he has seen evidence showing scammers are going after relief funds available to those in need from the Federal Emergency Management Agency (FEMA). 

One of the images shared by the scammers. (Tokazowski)

Tokazowski said a colleague in Nigeria shared screenshots with him of hackers speaking on WhatsApp about ways to steal disaster relief assistance. The screenshots show scammers instructing people of ways they can file fraudulent claims on DisasterAssistance.gov.

“In the first image, scammers instruct other scammers to select the option of ‘Hurricane/Hail/Rain/Wind Driven Rain’ as what type of damage occurred, and to select the option of ‘Tornado/ Wind’ damage,” he said. 

“In total, the documents and images shared by scammers are a total of 23 different steps, each of which details what to say, how to fill out the application, and what type of information can be used to file a fake claim. To note, the social security numbers (SSN) that are being used could be stolen, bought from the internet, or a variety of either.”

The scammers also use a platform called “ssn-check.org” to check whether the stolen SSNs are verified and when they were created. In some cases, scammers may use romance-based schemes to get SSNs from victims, according to Tokazowski, who added that with the amount of information freely available on the dark web, there is little reason for attackers to pivot and start phishing for account information.

Tokazowski noted that the scammers typically use the same IP address and email account to submit their claims. 

Another screenshot shared by the scammers. (Tokazowski)

FEMA did not respond to requests for comment but Tokazowski told The Record that they have been in contact with the Secret Service, which told them that the agency is aware of the scams. 

He noted that Nigerian groups like Scattered Canary have been stealing FEMA funds since 2018 and did significant damage stealing funds dispersed during the COVID-19 pandemic. 

According to Tokazowski, while many of the groups launching these scams are based in Nigeria, they have money mules or accounts in the United States that are used to launder and wire the stolen money.

Contractors and donations

Several other cybersecurity experts confirmed that they too are seeing a wide array of scams related to stealing funds meant for Hurricane Ian victims. 

INKY’s Bukar Alibe said they have seen phishing scams related to the recent hurricane that originate from free mail senders like gmail.com and outlook.com. 

“One campaign was sent to 112 recipients with the subject line of “RE; your family relatives who died during the last Hurricane.!!!” and a display address of “Natural Disaster Center.’ We have also seen the Red Cross and Small Business Administration being impersonated in phishing emails that claim to provide relief,” Alibe told The Record. 

“All had no links and attachments so it’s an assumption that phishers are using social engineering to get the recipient to reply back or call a phone number.”

SlashNext CEO Patrick Harr explained that they are seeing thousands of scams and credential stealing attacks. 

Many are scams centered around offering contractor services like painting, repair and clean-up. 

Dr. Francis Gaffney, senior director of threat intelligence at Mimecast, explained that scammers are also exploiting generosity in relation to the hurricane, sending spoofed emails containing URL links to cloned or fake charity websites that can be used to harvest user credentials, and financial data.

Gaffney and Harr urged those affected by the hurricane to be wary of sharing personal information with anyone. People should input any web address into the search bar and confirm that checks are undertaken to guarantee the authenticity of any organization and their online presence, Gaffney explained.

Both also warned of people being contacted by scammers alleging to be from the government, with Gaffney suggesting people look for the “.gov” tag to make sure an email address or website is legitimate. 

“People that reach out to say they are government agencies are not likely to be legit and giving personal information to contractors or insurance adjusters is not wise,” Harr said. 

“The best course of action is to initiate the contact or conversation yourself and check with government agencies, insurance companies and contractors to verify credentials, legitimate URLs and phone numbers.”

UPDATE: FEMA Press Secretary Jeremy Edwards told The Record that it is common to find people who want to “take advantage of survivors by posing as official disaster aid workers or as relatives trying to help survivors complete their applications.”

“FEMA encourages survivors to be aware of fraud and scams. We also encourage survivors to report any suspicious activity or potential fraud from scam artists, identity thieves and other criminals,” he said.

“Survivors should also be aware that this kind of situation doesn’t happen only at the beginning of the response to the disaster when people might be more vulnerable. It can happen anytime. It is important to know that FEMA does not endorse any commercial businesses, products or services.”

Edwards noted that federal and state workers never ask for or accept money and always carry identification badges. There will never be a fee required to apply for or to get federal disaster assistance, Edwards explained.

He specifically warned of housing inspectors impersonating FEMA and fake offers of local or federal aid, adding that everyone should be cautious if somebody asks for your nine-digit registration number.

FEMA inspectors will never ask for banking or other personal information such as a Social Security number. Victims are urged to ask alleged officials to show their identification badge.

“Don’t trust someone who asks for money. Federal and local disaster workers do not solicit or accept money. FEMA and U.S. Small Business Administration staff never charge applicants for disaster assistance, inspections or help in filling out applications,” FEMA explained.

“Don’t believe anyone who promises a disaster grant and asks for large cash deposits or advance payments in full. Use licensed or verified local contractors backed by reliable references. Don’t pay more than half the costs of repairs in advance. Demand that contractors detail the job to be done with guarantees in writing.”

Edwards said hurricane victims should monitor official government channels on social media or cable news and report any scams they come across to the FEMA Disaster Fraud Hotline at (866) 720-5721.

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.