IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Coronavirus Scams: Phishing, Fake Alerts and Cyberthreats

As new global stories emerge by the hour on the coronavirus, bad actors are (again) trying to confuse online updates with phishing scams and destructive malware. Here’s why action is required now.

Photo by Macau Photo Agency on Unsplash
Wherever you turn for news coverage online, coronavirus alarm bells are ringing louder.

But users should not trust all of those bells, as fake news, phishing scams and even malicious malware is actively being distributed under the coronavirus umbrella.   

Sadly, a perfect storm may be brewing. As government officials and health experts appeal louder for calm, the public is actually getting more worried and searching the Internet for answers. For example:

On Friday, Jan. 31, fears slammed the U.S. stock market, according to Axios. “Stocks saw the worst sell-off in months on Friday: the Dow Jones Industrial Average dropped 603 points (2.1%), while the S&P 500 and the Nasdaq declined 1.7% and 1.5%, respectively. …”

Meanwhile, the BBC reported that the U.S. and Australia have joined Russia, Japan, Pakistan and Italy in closing their borders to all foreign nationals arriving from China. These actions were taken despite conflicting advice from global health officials. "Travel restrictions can cause more harm than good by hindering info-sharing, medical supply chains and harming economies," the head of the World Health Organization (WHO) said on Friday.

At the same time, Bloomberg news reported that China Virus Cases May Be Undercounted Even With 3,000% Surge. “The number of confirmed cases of the new coronavirus in China has skyrocketed to more than 9,000, surpassing the official count during the SARS epidemic. …”


Coronavirus Is a Bonanza for Online Scams and Fake News

As expected, the rapid spread of the coronavirus, along with the expanded media coverage of surrounding events related to this global health emergency, has led to hoaxes and the spread of panic. According to CNN, “In Los Angeles County, public health officials warned residents Thursday that a letter claiming a potential coronavirus outbreak in Carson City is fake. In a suburb north of Los Angeles, a high school in Santa Clarita also issued a statement warning against false social media reports on the coronavirus outbreak.

School districts in San Diego and Arizona are also warning residents about fake images of news stories claiming the coronavirus is spreading locally. …”

Wired magazine beat me to the punch with the Jan. 31 headline: Watch Out for Coronavirus Phishing Scams. Here’s a brief excerpt from that story:

“A sample phishing email from Tuesday, detected by security firm Mimecast, shows attackers disseminating malicious links and PDFs that claim to contain information on how to protect yourself from the spread of the disease. "Go through the attached document on safety measures regarding the spreading of corona virus," reads the message, which purports to come from a virologist. "This little measure can save you."

Email scammers often try to elicit a sense of fear and urgency in victims. It's not surprising that they would attempt to incorporate the coronavirus into that playbook so quickly. But the move illustrates how phishing attempts so consistently hew to certain time-tested topics and themes.”

Even the New York Post wrote a story on how Instagram influencers are exploiting the Coronavirus for clout. The story begins: “Fame-hungry Instagram influencers are using the coronavirus hashtag to gain traction on their most fashionable ‘thoughts and prayers’ posts. …”

And perhaps even more scary, Computer Weekly reported this week that the first coronavirus cyberthreats were seen in the wild. “The malicious files discovered by Kaspersky’s researchers were disguised as pdf, mp4 and docx files about the coronavirus. In each case the filenames implied that they contained useful information on how to protect yourself from the coronavirus, information on how to detect it, and news updates.

In reality, the files contained various threats including trojans and worms capable of destroying, blocking, modifying or copying and exfiltrating personal data, as well as interfering with the victims’ computing equipment or networks. …”

Not to be outdone, IBM X-Force Exchange provided details of how criminals are combining the coronavirus name with Emotet to deliver spam, malware and botnet threats. Specific examples are given at their website, but here are some of their conclusions:  

“The practice of leveraging worldwide events by basing malicious emails on current important topics has become common among cyber criminals. Such a strategy is able to trick more victims into clicking malicious links or opening malicious files, ultimately increasing the effectiveness of a malware campaign.

We have observed several instances of such exploitations in the past and now detected a recent wave, motivated by the outbreak of the coronavirus in China. X-Force discovered the first campaign of this type, in which the outbreak of a biological virus is used as a means to distribute a computer virus. What makes these attacks rather special, is the fact that they deliver the Emotet trojan, which has shown increased activity recently. It achieves this by urging its victims into opening an attached Word document, described as a supposed notice regarding infection prevention measures. …

We expect to see more malicious email traffic based on the coronavirus in the future, as the infection spreads. This will probably include other languages too, depending on the impact the coronavirus outbreak has on the native speakers. In these first samples, Japanese victims were probably targeted due to their proximity to China. Unfortunately, it is quite common for threat actors to exploit basic human emotions such as fear — especially if a global event has already caused terror and panic.”  

More Insights on Coronavirus and Online Deceptions

Several cybersecurity industry experts saw these coronavirus phishing attacks coming several weeks ago. I almost published a major warning blog back in mid-January, similar to this Hurricane Harvey phishing-attack warning, which was highlighted on CNET and by SC magazine and SecureWorld back in 2017. However, I didn’t want to create a self-fulfilling prophecy and give the bad actors more ideas about phishing and malware. Also, the rapid spread and volume of headlines was still unclear at that time.

Nevertheless, the onslaught of online problems has now entered a new stage and must be acted upon by industry, government and media organizations. The risks are now even higher than most high-profile news events, since this particular situation impacts all global populations and attacks are ongoing.

Some may wonder: How is this situation different than other high-profile news stories? Isn’t this situation similar to other major global event, disasters or catastrophes (like school shootings)? Don’t we always we see cybercriminals piggy back onto top media stories and get unsuspecting victims to click on links or download files in order to spread their malware?

Unlike natural disasters which typically last for a few days or possibly a week as a global top story, the coronavirus facts are changing daily and new warnings and alerts can be expected for weeks, if not many months.

For weather related emergencies, people trust and the National Weather Service and local government actions from police, fire departments, FEMA and the even governors. No such clear direction or source is available in this situation.  

In addition, unlike March Madness, the Olympics or other events that often bring new phishing attacks, the coronavirus brings many new unknowns with no real precedents in the past five years to compare. Again, many people don’t know where to turn for trusted, up-to-date guidance on many facets of these problems, so they are prone to search for new sources online or even fall for well-crafted email and social media scams.        

Actions Required: What Can Be Done?

Global public- and private-sector organizations need to act quickly to establish relevant communication with their employees, partners and customers surrounding key coronavirus messages. One key goal should be to ensure that trusted channels are established and reinforced via the right messengers — such as top executives. Depending upon what your role and business function include, your actions will vary. However, the need to educated staff, partners, family, wider Internet users and friends is universal.

Here are some specific actions which are highlighted in previous blogs:

First, decide what your messages (talking points) are to different audiences about the coronavirus. Remember that most staff believe that management under-communicates, so governments and businesses need to think hard about policies (like travel), procedures and online behaviors that are expected given their unique situations. Also, articulate where people (including customers) can go for trusted updates and more information over time that impacts their lives — even beyond work.   

Second, visit this blog on Phishing. Here are some topics covered in detail:

1) Provide effective, attractive security awareness training. Security awareness training regarding phishing can be fun. [Note: provide specific coronavirus guidance about phishing and other threats that have been seen by your business or partners.] Make training brief, frequent and focused. Teach staff practical things about phishing campaigns they don’t already know, and let them practice with real examples that are meaningful. …

2) Encourage reporting of phish. Do your employees know what to do when they receive a phish (in any form)? Not clicking or deleting is certainly better than clicking, but reporting is also essential. You want honesty when employees do click, so you can respond quickly and effectively. …

3) Ensure that phishing is about more than just email. Do staff understand that phishing can come from a telephone call or a text message? As discussed earlier, the person sitting next to them can even “phish” for your password.

Third, on the wider issue of building sustainable cybersolutions that will last, you can visit this article on building an enterprise culture of security. Here are five of the seven headline items:

  • Gain Genuine Executive Priority and Support
  • Honest Risk Assessment to Measure Security Culture Now
  • A Clear Vision of Where You Want Your Security Culture to Be
  • Do You Have a Cyber Plan?
  • Clear Cyber communication to the Masses
You can also utilize tools and messages from industry experts at websites like   

Final Thoughts on the Coronavirus and Phishing Attacks

Bloomberg offered this interesting example that describes the difficulty with determining who is infected with the coronavirus:

Jonathan Yu, a doctor at a university hospital in Wuhan, is on the front lines, testing patients for the coronavirus. Accurately spotting the virus isn’t easy and can take several attempts, he said. “A patient may be found as negative for the first or second test, and then found to be positive the third time,” said Yu. “It is like fishing in a pond: You did not catch a fish once, but that does not mean the pond does not have fish.”

One fascinating aspect of phishing and online malware infections (including ransomware), is that the same concept is generally true. If the bad actors are not successful in getting the user to click on coronavirus-labeled content today, they will be back tomorrow with a new technique.

So we all must prepare now and spread the word.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.