Blog/Expert Analysis/

3 different COVID-19 phishing scams you should know about

Apr 06, 2020

Security experts warn that hackers are exploiting people's concerns over COVID-19 to create fake charities, steal money, and snatch personal data. We'll explain the type of tactics hackers are using and ways to notice a scam as soon as you see it.

Why COVID-19 makes a fertile ground for scams

In a time of crisis, we often feel lost and search for answers. This is where hackers set their trap. They create websites that address our concerns and claim to solve our problems. So it's no surprise that hackers saw an opportunity in the current pandemic.

Every day, hundreds of new scams go live, and we must stay alert. Every email, website, or call should be considered as a potential threat. That doesn't mean that your mother-in-law sharing COVID-19 news on Facebook makes her a hacker's asset. But you should stay aware that scammers often use unsuspecting victims to spread their message.

What is a phishing scam

Phishing is a type of online scam where hackers create emails and websites pretending to be authoritative people and companies. Fake websites can look almost the same as the real ones, while such emails often contain malicious attachments. The rise of phishing scams circling "hot topics" is nothing new. However, the scams shift to exploit areas where the law enforcement and the public are less focused on.

For instance, one of the COVID-19 schemes involves scammers going door-to-door, pretending to be workers of the Center for Disease Control (CDC). In response, the NYPD Crime Prevention Division sent out an alert to the public on Twitter:

Update on #Coronavirus scams. Be aware that @CDCgov is absolutely NOT going door to door to check on people or offer virus testing. It's a Scam. More info on Coronavirus Scams from @FTC here: @NYPDChiefPatrol @NYPDCommAffairs @NYPDDetectives @NYPDnews

In an attempt to execute their ploy, the hackers will go a long way. While most phishing emails are generic (“You won the lottery" or "Please check your order"), the others may be very specific. Hackers can use your real name, your workplace, your achievements, and more to appear more legitimate.

This applies to websites, too. Hackers can recreate reputable brand websites identical to the real ones, except for the address. Scammers may include a spelling error in the URL or even an extra word to represent a branch of the company.

For example, could become or However, making such detailed scams cost scammers time and money. As a result, cheaper, not-so-detailed scams that target as many people as possible are much more common. This is also true with COVID-19 scams. There are three types of phishing scams that have been on the rise in the last couple of months.

Types of phishing scams

There are many types of phishing attacks, but the COVID-19-related scams tend to fall under a few categories. Below, we describe the three most common phishing scams today: fake products and services, attacks on personal information, and raising money through non-existing charities.

Selling fake products

Hackers are using the public's health concerns to sell fake COVID-19 products. While the approach varies from robocalls to websites, the claims are often similar. Beware of remedies that claim to prevent the coronavirus, test for it, or treat it. However, the list is much wider. Anything that's in high demand, like sanitizers, masks, gloves, and more, can be used in these fake schemes.

Stealing your personal information

Scammers won't always try to sell you products. Stealing personal information to sell or use in another attack has been proven to produce results, and hackers don't see any reason to stop. Email is the most common method to execute these scams. Beware of emails and websites that claim to have groundbreaking COVID-19 information. Most will urge you to either click on a link, download a document, or install a piece of software on your computer.

In recent attacks, hackers tried to install malware on victims' computers named setup_who.exe and covid19_informer.exe. While these specific attacks were exploiting router vulnerabilities through fake websites, you're just as likely to find these types of messages in your inbox.

Pretending to raise money for COVID-19 victims

Hackers have no shame. Recent ransomware attacks targeting hospitals leave no doubts. That's why it is not surprising that people's generosity and willingness to help fight the COVID-19 pandemic is also exploited. Government agencies have warned the public about the fake Coronavirus charities and non-profits.

What makes it worse is that these scams can take any form. You can be approached in the street or via social media, they may create a fake charity or say that they're representing a real one. If you want to make sure that your donations reach those they're meant for, always donate through a charity website or call their dedicated phone number. Genuine charities rarely send their volunteers door-to-door. They will also never ask you to pay via prepaid cards, cryptocurrency, or a wire transfer.

How to spot a COVID-19 phishing scam

The pandemic will pass, and hackers will amend their attack plans to fit the new age. They will find a new cause people care about, a new vulnerability to exploit. But there is some good news. While unique attacks pop up occasionally, the core of most of the phishing scams hasn't changed for years. And ways to protect yourself from them also don't change much.

  1. Don’t reuse passwords. One of the reasons why phishing attacks are so successful is that details of one account can often give a hacker access to dozens more. All because of weak, repeating passwords.
  2. When you see a sensational headline, question the source. It's always better to fact-check with government agencies and the World Health Organization. And if it sounds too good to be true, it probably is.
  3. Remember that everything you put online can be used against you. Be mindful of what you post online and protect your important data with encryption. Even if you need to put files on the cloud, encrypt them first with NordLocker. That way, you are sure that neither cloud providers, nor hackers can access your data without your knowledge.
  4. Email remains widely used for scams. Before clicking on links or downloading attachments, double-check the sender's address.
  5. Be extremely careful with scammer favorite email headlines like "Please confirm your information", "Check your invoice", "Suspicions activity in your account", and "Your payment is ready".

Phishing scams are too profitable to hope they end soon. On the contrary, they will increase and become more sophisticated. Awareness is one of our weapons in this fight.

If you know anyone is likely to be vulnerable to phishing attacks described above, please share this article by clicking on the social buttons below!

John Sears

John Sears

Verified author

John believes that the best things in life are simple. He uses the same approach when he’s writing about online security. John says that his #1 pet peeve is phishing scams. Ironically, his favorite non-work related activity is fishing.