How to protect yourself from coronavirus phishing threats

The worst disease of the century brings out the worst in people as phishing attacks increase to unprecedented levels. Here's how to spot and avoid COVID-19 phishing attacks.

Detecting phishing attempts  >  A magnifying lens spots a hook trying to catch a fish.
Andreus / Getty Images / Clker-Free-Vector-Images

I just got an e-mail from the World Health Organization (WHO) asking for a donation to help fight coronavirus. It looked good. It sounded good. It was a fake. Asking for a donation in Bitcoin set off my alarm. Anytime, anyone asks you for Bitcoin in an email they're trying to scam you. We may get sick, but phishing, the art of conning people via email or texts, is as healthy as ever.

So, as we face the deadly threat of coronavirus, you should know that there's no situation so awful that someone won’t take advantage and make it even worse by using it to steal from people. According to network security firm Barracuda Networks, there's been a steady rise in the number of COVID-19-related email attacks since January. But, in March, Barracuda researchers say they've seen a recent spike, 667%, in Coronavirus phishing messages.

To be exact, from March 1 to 23, researchers detected 467,825 spear phishing email attacks, and 9,116 of those detections were related to COVID-19, representing about 2 percent of attacks. That doesn't sound like much, but in February, 1,188 coronavirus-related email attacks were detected and only 137 were detected in January.

Phishing thrives on fear. "Although the overall number of these attacks is still low compared to other threats, the threat is growing quickly," Barracuda said in a statement.

Paul Walsh, CEO of Metacert, which makes a web browser extension that warns you of dubious websites, agreed. "For malicious people, preying on collective fear and misinformation is nothing new. Mentioning national headlines can lend a veneer of credibility to scams. We've seen this tactic time and again, so it's no surprise that COVID-19 themed social media and email campaigns have been popping up online."

[ Related: What your business can do about the coronavirus ... right now ]

Simultaneously, cybersecurity company Check Point announced that crooks are registering malicious coronavirus-themed websites. Since January 2020, there are over 4,000 new sites containing words like “corona” or “covid.” Check Point estimates these new Coronavirus-themed domains are 50 percent likely to be dangerous. I’m surprised the percentage isn’t higher.

That said, they're not all bad sites. Rob Ragan, principal researcher at Bishop Fox, a security firm specializing in offensive security testing, said, "[Although] thousands of new domains are being registered to opportunistically garner COVID attention online. A lot of them are legit, a lot are trying to make money from selling merchandise or supplies." That said, many of these "are fraud or phishing sites."

Another security firm, RiskIQ, found no fewer than 317,000 new dubious websites were created with coronavirus-related keywords during the two-weeks between March 9 and 13. And, it's not slowing down any. RiskIQ is providing a constantly updated list of suspicious coronavirus sites. The company is spotting tens of thousands of new dubious sites every day.

Does that sound paranoid? It's not. As the saying goes, "You're not paranoid if they really are out to get you."

COVID-19 phishing basics

Most, but not all, phishing messages tell a story. Anytime you get an email, text, or instant message (IM) with any of the following traits, be very careful.

First, don't trust any message that looks like it's from a company you already do business, which tells you your account has had suspicious activity, needs an updated credit-card number or has had unauthorized login attempts. All that may be true, but if the message then asks you to login in via a website within the message to resolve the issue, odds are you're being scammed. Other variations of this include presenting you with a demand you click on a link to make an immediate payment, get a refund, or offer you free stuff.

You should also never follow up on an email asking for your personal information. No honest email is going to ask for your Social Security number or login information. Never, ever respond to such an email with your personal data.

Some phishing messages will appear real because they sound like it's from someone or some company that already knows facts about you. That's because with numerous corporate data hacks, such as 2017's Equifax breach, most of us already have much of our personal data out there on the dark web.

For example, many extortion messages will tell you that they have incriminating video or information about you and "prove" it by showing you an old password. They didn't get it by hacking your computer. They got it from one of those many data breaches. 

And, let's not forget, if you're on Facebook or the like, it's not hard at all to find out where you went to school, that your dog's name is Spot, and what your favorite flavor of ice cream is. Remember, a message that looks questionable probably is, just because it contains a random fact or two about you, doesn't mean it's trustworthy.

Spotting phishing messages

The easiest way to spot phishing messages is if they start with "Dear user” or “Dear [your email address]." Real business emails either skip a salutation or address you by your first and last names or by your business name. Any "dear user" message is from a loser.

Another quick way to spot bogus messages is to look at the From email address field. Usually, but not always, the address is subtly wrong. For example, PayPal, the most frequently abused company by phishers, proper email address ends with "" But, you'll often see phishing messages from fake addresses such as If an address doesn't look exactly right, delete it.

Next, look at the message's web link. Hover over the link with your mouse pointer. Does the address look right? If, for example, you get a message from Amazon warning you that your account is about to be suspended, and when you hover the link instead of you see something like Those are always fake, dangerous websites and you should never click on them.

Worried that maybe a message that looks a bit dodgy was real? Then, contact the company via a normal route. Just, whatever you do, do not connect via a link within the message.

Another way to spot a scam email is if it contains poor spelling and grammar. I subscribe to the theory that these blunders are a ‘filtering system.’ If you can't spot the mistake, the idea goes, you're likely to miss the attack hidden within the message as well. Be that as it may, if a message looks like the sender failed high-school English, don't open it. 

Still, another common way of messing you is to include an attachment containing some kind of malware. Lately, I've been seeing a lot of fake invoices containing a dose of poison. Any time you get an attachment from anyone, unless you know for certain it's safe, don't open it. Instead delete the message and move on.

Not sure about a message that looks like it's from a coworker or friend? Ask yourself, "Were we expecting an email from them?" Or, ask them via a different medium, such as a phone call, Slack message, whatever, to verify that they had indeed emailed you.

Finally, Walsh warns that simply because a site is encrypted with HTTPS doesn't mean it's a trustworthy site. "Over 93 percent of all phishing sites classified by MetaCert start with HTTPS."  All HTTPS means is that data transmission to and from the site is encrypted. It has nothing to do with being able to trust the site's data.

Detecting coronavirus phishing

In addition to identifying generic phishing attempts, there are also ways of spotting coronavirus-specific phishing messages.

First, as the Electronic Frontier Foundation (EFF) points out, if "an email sounds too good to be true (“New COVID-19 prevention and treatment information! Attachment contains instructions from the US Department of Health on how to get the vaccine for FREE”), it probably is." Let me get even more specific. There will be no cure, no vaccine, no miracle fix, no radical new treatment from a local doctor, for coronavirus. Anyone telling you otherwise is lying or trying to sell you something.

If you get an email demanding you do something about coronavirus right now -- (URGENT: COVID-19 medication shipment blocked. Please accept order here to receive medication) -- it's not real. If someone needs to do something immediately about the virus, they're not likely to be doing it via an email.

There are also many phishing messages purporting to be from the World Health Organization (WHO), Center for Diseases Control (CDC), and US Centers for Disease and Prevention warning you of new dangers or wonderful cures and to learn more just click <Here>. I won't say they're all fake, but I haven't seen a real one yet.

What makes this particularly villainous is such messages, claiming, for instance to provide vital information about how to prevent and treat COVID-19, are being directed at doctors, nurses and other medical professionals. They, like you, must be wary of messages that appear real, but aren't.

An especially insidious version of this appears to be from medical suppliers. These claim a delivery can't be made without some action by a hospital staffer to complete the order. With hospitals running out of ordinary, but vital medical supplies such as rubber gloves and N95 masks, and looking for them from any possible source, this kind of phishing has much too high a chance of succeeding.

Such messages typically contain links that lead to malicious code. Malwarebytes Labs reports that some Coronavirus phishing messages will give you a case of AzorUlt malware. Once in place, it will scan your computer for more data, pass it along to a botnet command and control server. Then, once it has information it can use, it can then download and execute more malicious code, such as ransomware

So far, so normal, but Krebs On Security has found some attackers use the Johns Hopkins University coronavirus map to make its poisoned messages look trustworthy. The moral of the story is that coronavirus phishing messages are especially good at fooling even the practiced security eye.

Finally, it's not just your computer that's in danger. DomainTools recently reported a new  Android ransomware app that pretends to be a coronavirus update application. This one came with a mistake, which rendered it mostly harmless. Others won't. When someone sends you a message containing a link to a great new COVID-19 phone app, be careful of it. Don't download it via the message. Go to your app store and get it from there.  

5 tools to help you beat coronavirus phishing

If you can't trust your own eyes -- and with as much stress as we're now under you can't -- you need other tools to keep you safe. These include the following:

1. PC security software: Antivirus programs can help block phishing attacks. Set your program to update automatically, so it can deal with any new security threats. As I pointed out, there's a constant flood now of new coronavirus phishing sites.

2. Use email server anti-phishing services: These can stop bad messages before users are ever exposed to them. Among others check out GFI MailEssentials, Sophos Phish Threat and Barracuda Email Security Gateway.

3. Use cloud-based services to scan for and detect phishing: Such services include INKY and Metacert. These use white-listing approaches, which block unknown and potentially dangerous messages and sites, while letting traffic from known trustworthy sites through.

4. Switch your Domain Name Server (DNS) setting to a DNS service which provides filtering: Some DNS systems, including CleanBrowsing, OpenDNS, SafeDNS and Quad9, automatically attempt to block questionable sites. With these, you literally can't go to a bad site.

Armed with these tools you should be OK. This is a rough time, but with care and due diligence, you and your systems will make it through OK. Good luck and stay safe.