Stephanie “Snow” Carruthers: May 11, 2020

IBM Security Research Reveals Unprecedented Increase in COVID-19 Themed Scams, and Insights on How to Protect Yourself

IBM’s ethical hacking team provides insights on protecting consumers and small business owners from cybercriminals, while staying informed during the pandemic


Stephanie “Snow” Carruthers

Chief People Hacker, IBM X-Force Red



As COVID-19 continues to upend normal life, consumers and businesses are being bombarded by varying information, changing policies and resources for relief, from stay at home orders, to stimulus checks and small business loans. As consumers seek clarity on what options apply to them and the steps they need to take to keep their households and businesses afloat, cybercriminals are capitalizing on their fear and uncertainty. In fact, since the World Health Organization (WHO) declared the COVID-19 outbreak a pandemic in early March, IBM X-Force has observed a more than 6,000% increase in COVID-19 related spam. Cybercriminals are targeting confused consumers and vulnerable small business owners with lures capitalizing on the challenges and concerns that individuals are facing – from phishing emails impersonating the Small Business Association (SBA) to U.S. banking institutions offering relief funds. Given this, how can consumers and business owners stay alert and safe from hackers during this time?


IBM Security and Morning Consult conducted the 2020 Consumer & Small Business COVID-19 Awareness Study, that was designed to better understand how effective phishing attempts exploiting the global health crisis could be. The survey revealed respondents’ lack of understanding in regard to the legitimate channels that government institutions use to communicate with constituents, as well as small business owners’ uncertainty of the resources made available to them by the government. Some key highlights from the study include:


  • Alleged Emails from the IRS Aren’t Raising Red Flags – Over 35% of respondents expect to hear communication from the IRS by email, despite years of warnings from the IRS, law enforcement agencies and the security community, that the IRS will never email an individual about their tax filing.
  • Small Business Owners’ Confusion Grows ­– Only 14% of small business owners feel very knowledgeable about the process to get access to the government’s small business loan relief program, despite the continuous guidance that government officials have been offering.
  • Stimulus Checks and COVID-19 Testing Become the Perfect Click-Bait – Over half of respondents said they would click on links or open attachments in emails pertaining to their stimulus check eligibility. Available COVID-19 testing nearby was the second most enticing topic that respondents would engage with.


We are making IBM’s Stephanie “Snow” Carruthers available to discuss the results from the study, detail how consumers can better identify phishing attempts, and tips and insights to stay alert. Stephanie, who goes by her hacker alias, Snow, is a member of IBM’s X-Force Red team, and is a well-renowned social engineer, or “ethical hacker,” who uses her skills to help people stay protected and informed.


For more information please visit:


More About Stephanie “Snow” Carruthers: 

Stephanie Carruthers (known by her hacker alias, Snow) specializes in social engineering – thinking like a criminal in order to “hack” the human psyche, creating ruses to lure them into divulging sensitive information or taking an action. Cybercriminals use this tactic for their advantage, helping them tailor a more targeted cyberattack or even gain physical access to a secure facility. Fortunately, Stephanie hacks humans in order to help businesses find and fix their security holes, as part of IBM’s X-Force Red. 


Companies hire X-Force Red to break into their networks in order to find the security flaws that exist in their technology, processes, and staff awareness. For Snow, this means gathering information that has been overshared on the web, using her social engineering skills to go “vishing” (voice phishing) for additional intel on the phone, and even creating and using fake badges, costumes, and other tricks of the trade to get inside a company’s physical location. Snow also finds information that can help the team hack a company’s computer network; such as passwords on sticky notes in the background of a YouTube video, photos of security badges with employee info displayed or laptop screens showing the types of software a company uses.



Speak Your Mind