With the spread of novel COVID-19 across the globe, there’s
been a growing spike in digital scams including phishing and
malware activity. Threat actors are ramping up their efforts
and leveraging public fear and interest in the disease for
How Are Scammers Taking Advantage of COVID-19? How Can
Security Awareness Help?
There are currently over 40,000 domain names using the word
COVID-19, many of which are fake websites disguised as
dedicated healthcare reporting sites, according to domain
security research groups. Many threat actors claiming to be
associated with the World Health Organization (WHO) and
other reputable medical and healthcare agencies are
providing communications and news stories that appear valid,
but include malicious links and downloadable apps that
install malware. People’s panic and curiosity to know more
enables attackers to use their malicious motives under the
cover of catchy news bytes.
The Federal Trade Commission has reported the loss of $13.4
million due to COVID-19 related scams in 2020. Everyday,
Google blocks about 18 million COVID-19 related spam emails.
Scam calls (also known as vishing) are getting more
convincing with the help of artificial intelligence. Reports
state that nearly $19.7 billion was lost to vishing attacks
in the year 2019, and experts believe this number will only
increase during the pandemic.
What COVID-19 Scams Are Being Reported?
The COVID-19 related attacks that hackers use take advantage
of a wide range of psychologies during the pandemic and
Phishing with blood/plasma/saliva from COVID
survivors: These dangerous substances found "for sale" on the
web are being spread through phishing emails. This is
highly dangerous if hackers are successful. In addition
to money lost, there is a potential health risk and
possible spread of infection.
Expedited stimulus checks: Though the
U.S. government has promised to provide stimulus checks
to all citizens, in many cases the process of sending
the money has been slow. Hackers, in their phishing
emails, are promising to expedite the process.
Fake COVID-19 miracle cures and testing kits: Threat actors
are sending phishing emails about
coronavirus cures and tests that are not approved by
Tech support scams: As millions of
employees are now working from home, tech support scams
are on the rise. Vishing (phone) attacks are at the core
of such scams and tend to extract critical information
about your computer.
Financial phishing: With a hurt economy
and financial sector during lockdown, there has been a
greater abundance of phishing emails promising no-risk
Mimicking a boss using artificial intelligence
Vishing attacks are spoofing people to appear as if the
call is coming from a boss or coworker. AI allows
hackers to study previous conversation and mimic voice,
speech pattern, and tone.
Phony small business loan sites: As
many small and medium businesses are suffering due to
the pandemic and on verge of closing, fake sites
offering business loans have also emerged as phishing
Donation scams: As many legitimate
groups are collecting donations for much needed causes
during the pandemic, fake charity donation sites are on
the rise. This has become the most common type of
phishing attack as it is often difficult for individuals
to differentiate between real nonprofits and phony
The attempt to prey on the altruistic nature of people is
causing real damage. Incidences like the phishing email
reported by The Sydney Morning Herald requesting bitcoin
donations from hackers disguised as CDC volunteers, is one
In the wake of such attacks, the World Health Organization
(WHO) has released a notice regarding phishing and other
WHO never asks for your username or password to access
disease and safety related information.
- It never mails attachments you did not ask for.
It never asks you to visit a link outside of who.int.
It never charges money to apply for a job, register for
a conference, or reserve a hotel.
It never conducts lotteries or offers prizes, grants,
certificates, or funding through email.
What Is phishing?
phishing attacks are the foundation for a majority of
advanced and potent malware attacks. Though follow-up
attacks form the important part of any cyberattack, their
ability to cause damage to a system depends upon the success
of the phishing scam. Every day Google blocks more than 100
million phishing emails (related to coronavirus and other
topics) as hackers try to steal money and personal
How Is Phishing Typically Done?
Whaling: Whaling is the next step up in
spear phishing attacks, targeting senior executives and
other high-profile employees in an organization, such as
managers or above.
Spear phishing: Personalized phishing
attempts created for a specific person or organization
are called spear phishing. Unlike regular phishing,
threat actors generally conduct reconnaissance,
gathering information about their victim in order to
look less suspicious and increase their probability of
Clone phishing: Clone phishing is a
type of phishing attack involving extensive
reconnaissance into previously delivered emails or
attachments, and the phishing email is developed based
on that. Once leaked, the email or documents are used to
create an identical or cloned email. The attachment or
link from the previous email is then replaced with a
malicious URL or malware, and then sent from an email
address similar to the original domain. It appears as a
resend of the original or a follow up.
Link manipulation: As mentioned above,
the method of using technical deception to make a link
appearing to belong to the legitimate organization is
defined as link manipulation. Misspelling the URLs or
using subdomains are the most common ways to administer
malicious websites into the phishing process. Another
common trick is to make the displayed text for any link
as legitimate using hypertext markup language, i.e, when
you scroll over to the link it displays the trusted
Filter evasion: It is essential for
phishing emails to evade mail filters that generally
mark them as spam. The general evasion method involves
clone phishing or use of images instead of text, hence
making it harder for anti-phishing filters to detect
them, as they commonly rely on the word in their
repository classified for phishing and spams.
Website forgery: As the name suggests,
website forgery occurs when scammers create fake
websites that look exactly like the original, sometimes
the malicious website to that of the original. Sometimes
existing flaws in a trusted website's scripts are used
against it by the attackers to hijack the webpage. These
types of attacks are also known as cross-site scripting
and prompt the user to sign in at the legitimate web
page, where everything from the web address to the
security certificates appears correct but in reality the
website is embedded with malicious software, making it
very difficult to identify without professional
Covert redirect: Covert redirect is a
more sophisticated method of phishing attacks that makes
use of a legitimate website, but eventually redirects
the user to a malicious website. Sometimes the malicious
browser extensions are used to redirect users to
phishing websites covertly.
Social engineering: Social engineering
involves social reasons to prompt a person to click on
malicious links or attachments. For example, COVID-19
has aroused the interest of many people in reading news
and updates related to healthcare, and in response, many
threat actors have developed fake news, blogs, health
updates, or maps to lure people into clicking those
Voice phishing: Not all phishing
attacks require a fake website or email. Calls or
messages that claim to be from a bank or a legitimate
organization prompting the users to reveal their account
numbers, PIN, password, etc., could be termed as Vishing
or voice phishing.
How to Mitigate Phishing Attacks with Security Awareness?
The prevention of phishing for a non-technical person is
improved with anti-phishing education and awareness provided
by many reputable organizations such as OhPhish, which
provides education and training for an organization’s
employees against phishing attacks. Only understanding
phishing theoretically is not sufficient because, even if a
person knows phishing is done via malicious/spam emails, one
cannot possibly differentiate between a benign and malicious
email. Thus, practical experience of phishing attacks and
how to tackle them is very helpful. OhPhish solutions
provide virtual simulations for phishing attacks by sending
employees phishing emails and monitoring their response to
it, based on their result-tailored education and mitigation
As the user her/himself is the first line of defense against
any cyberattack, the know-how to tackle phishing attacks is
highly important. Anti-phishing education could not only
help to educate the employees of any organization on ways to
recognize and tackle phishing emails, but offer the advice
and training of security experts along the way. The training
of IT people regarding different types of phishing modes can
be done as:
Precautions to follow for remote workers on cloud and
Compilation of security policies and guidelines that
help in educating workers on phishing.
Educating IT security professional on handling and
mitigating phishing attacks.
Training for security responsibilities in the event of
Training assistance through a demo simulation for
real-time phishing attacks.
How to Avoid Phishing Attacks with Cybersecurity Awareness
Do not open any suspicious emails that you have not
- Check the domain name at the end of the mail id.
Always use the customer care numbers from official
Do not visit any website that does not have https: at
Regularly scan your email and PC with antivirus or
Reconfirm all money related emails or calls with
appropriate authorities such as banks or government