An illustration depicting a coronavirus phishing scam

As worries about the novel coronavirus and COVID-19 mount, cybercriminals are racing to capitalize on those fears with phishing emails designed to steal your personal information and your money, security experts say.

The FBISecret Service, and World Health Organization have all recently issued warnings.

With more and more people working from home this month, cybercriminals eager to gain access to corporate computer systems have joined the fray, too.

More on Coronavirus

Many of the emails, which often appear to be sent by WHO or the Centers for Disease Control and Prevention, pretend to offer new information about the virus.

Some hint at the availability of a vaccine, and others claim to be from charitable organizations looking to raise money for victims. (Read about products touting false coronavirus claims.)

Although the ploys are “depressingly familiar” to those well-versed in phishing emails, they come at a time when people worldwide are particularly vulnerable, says Eric Howes, principal lab researcher for KnowBe4, a cybersecurity company focused on phishing prevention.

“When people are distracted, concerned, and extremely motivated to get information," he says, "you can’t count on them to notice things they might have in calmer times.”


See CR's Guide to Digital Security & Privacy for more information.

To complicate things, plenty of legitimate coronavirus-related emails are circulating right now, making it easier to float malicious ones without drawing attention. Human resources departments are reaching out to employees about working from home, schools are updating parents on precautions and canceled events, and businesses are trying to ease customer concerns.

In research shared by email, Tatyana Shcherbakova, senior web content analyst for the cybersecurity company Kaspersky, notes the phishing emails designed to mimic those from the WHO are particularly convincing.

So consumers need to be vigilant and use common sense before clicking on an email about the coronavirus outbreak. If a claim sounds too good to be true, it probably is.

"If you are promised a vaccine for the virus or some magic protective measures and the content of the email is making you worried, it has most likely come from cybercriminals," Shcherbakova writes.

Here’s a closer look at how to avoid coronavirus phishing scams. 

How the Phishing Scams Work

According to Howes, his company detected its first coronavirus-themed phishing email—a spoof on missives from the Centers for Disease Control and Prevention—in early February. A month later, a half-dozen versions of the email were circulating. All directed recipients to fake forms or a website designed to steal log-in credentials.

Cybercriminals have since crafted emails that appear to be from company HR departments. Like the CDC phishing emails, those also prompt the receiver to reveal log-in credentials.

For cybercriminals, captured log-ins and passwords are valuable, because they can be used to commit financial fraud or impersonate a legitimate user and access corporate computer networks.

Access to a consumer email address may be enough to reset key passwords for banking and other financial accounts.

A screen shot of a phishing email made to look like it came from the CDC.
The coronavirus-themed email above was made to look like it was sent by the CDC.
Photo: KnowBe4

Not all the emails seek credentials, though. Some distribute malware. In one version, discovered by KnowBe4 researchers, the author asks for help finding a “cure” for coronavirus, urging people to download software onto their computers to assist in the effort.

The download contains a virus capable of monitoring all activity on the device. And if that computer is logged into a business network, an attacker could, potentially, move throughout the system sweeping up information.

For many cybercriminals, gaining access to corporate computer systems is the chief goal. But, Howes says, consumer devices are enticing, too, noting that people have been keeping more of their most private information on personal computers these days, and cybercriminals are adept at monetizing that. 

How to Avoid Getting Scammed

Here are some additional tips from digital security experts.

Think before you click. Howes says the best thing consumers can do to protect themselves is just slow down. If something doesn’t seem right about an email, just delete it—ideally before you open it. You’re better off not taking the risk.

Examine the link. Before you click on a link, try hovering your mouse over it. This will reveal the full address, which can expose signs of fraud. A “.ru” on the end, for example, means the site was created in Russia; “.br” means Brazil.

Misspellings in URLs are another good tip-off to a fake website. If the URL says corronaviruss.com, it's best to avoid it. And if you get an email advertising a great deal on masks or hand sanitizer at a major retailer, open a window in your browser, search for the retailer’s web address, and compare it with the one in your email.

Don’t assume that a website is legitimate just because its URL starts with “https.” Criminals like to use encryption, too.

Don’t open attachments. They may contain malware. And you should never type confidential information into a form attached to an email. The sender can potentially track the info you enter.

Guard your financial information. Be wary of emails asking for account numbers, credit card numbers, wire transfers, and failed transactions. There’s no reason to share such info via message or an unsecure site.

Turn on auto updates. This goes for your computer, smartphone, and tablets. Up-to-date antivirus software goes a long way toward stopping malware.

Use security tools. Install an antivirus program on your device, and keep it up to date. You can also use a website reputation rating tool, which comes in the form of a browser plugin, to warn you if you try to go to potentially dangerous websites. Cybersecurity companies such as McAfee, Kaspersky, and NortonLifeLock offer them. But keep in mind that these tools aren’t foolproof.