Cyber criminals looking to exploit the COVID-19 pandemic are innovating new approaches to infiltrate the systems of individuals and organizations that may already be more vulnerable to attack during this time—the most prevalent of these being phishing scams. Hackers can use information gained from an attack to access the corporate network, peruse an individual’s personal accounts, or download ransomware on a device, requiring users or businesses to pay the ransom in order to regain access.

Image courtesy of

Three Phases of Attacks
In recent weeks, there has been an explosion of COVID-19-themed phishing schemes. The first phase started toward the end of February and into early March. These mainly involved spoofs of the CDC (Centers for Disease Control), WHO (World Health Organization), and a few other reputable authorities including HR departments within targeted organizations.

Malicious actors then began experimenting with new schemes to find the most successful approach. This second wave demonstrated that attackers were seriously committed to exploiting the chaos and growing hysteria over the spread of the virus by rapidly developing a larger library of phishing templates.

The newest phase has recently surfaced with cyber criminals re-purposing a wide variety of older phishing emails tweaked to prey on the multitude of employees working from home who are nervous and perhaps distracted enough to fall victim to an attack.

A Nationwide Response
The U.S. is putting federal muscle into protecting businesses against the onslaught of attacks, encouraging businesses to implement cyber risk management strategies. The FBI is now warning against phishing emails related to charitable contributions, general financial relief, airline refunds, fake cures, testing kits and vaccines.

Furthermore, on March 18, 2020, U.S. Attorney Trutanich announced the appointment of a COVID-19 fraud coordinator to lead investigations into known and suspected occurrences of financial fraud related to the nation’s ongoing public health emergency.

Education is Key Defense
Education remains the best defense against malicious online schemes. The more that individuals hear about COVID-19-themed phishing emails that are being widely reported, the better, more informed choices they can make on how to navigate the messages flooding their inboxes. Forbes has compiled an ongoing list of known scams to help educate people.

Another way organizations can protect themselves and their employees is by implementing services that can conduct phishing simulators to help identify where more education and training is needed in order to avoid falling victim to such schemes.


Leave a Reply

Your email address will not be published.