Don't Fall for Fake E-mail About COVID-19

​Cybercriminals are exploiting the coronavirus outbreak through a variety of phishing campaigns. These schemes are meant to steal valuable financial or personal information or introduce malware into company computer networks.

Hackers are sending malicious e-mail seemingly from trusted sources, such as the U.S. Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO), or they are doctoring e-mail messages to appear to be internal, according to cybersecurity firms monitoring the attempts.

The CDC and WHO have both published warnings about coronavirus phishing scams.

Cybersecurity provider Check Point Software Technologies has flagged over 4,000 coronavirus-related domain names registered since January 2020 and determined that many of those sites will be used in phishing campaigns. Fake coronavirus maps loaded with malware have also been found.

The spread of the virus has prompted employers to send a lot more messages to their workforce about response plans, travel restrictions and remote-work policies.

"Hackers see the opportunity," said Joseph Lazzarotti, an attorney in the Morristown, N.J., office of Jackson Lewis. "Hackers [are] trying to capitalize on fears employees have about the COVID‑19 crisis and what their employers are doing to respond. They target employees who, in the current environment, might be more likely to respond to an executive's e-mail seeking action on a coronavirus-related topic."

The amount of malicious e-mail tailored to the viral outbreak has grown exponentially since late January, according to Proofpoint, a cybersecurity firm in Sunnyvale, Calif. Sherrod DeGrippo, Proofpoint's senior director of threat research and detection, said that her team has observed the number of phishing campaigns increase from about one campaign a day to three or four a day.

Some examples of recent phishing campaigns include:

• Phony alerts from the CDC or other health organizations claiming to link to local coronavirus cases and other information updates.
• Fake messages from WHO offering prevention advice in attachments and embedded links or appealing for donations to a disaster-response fund.
• Communications appearing to come from internal sources announcing workplace policies to download, fake forms to complete with personal information or malicious links to click. "Employees may, for example, receive fake e-mails purporting to be information from management about coronavirus," Lazzarotti said. "The hacker might assume an executive's identity and apparent e-mail address for the purpose of sending what appears to be a legitimate request to address a critical business need surrounding the virus's outbreak."

[SHRM members-only how-to guide: How to Handle Communicable Diseases in the Workplace]

How to Avoid Falling Victim to Phishing

Employers can use firewalls, web filters, malware scans or other security software to hinder phishing attempts, but the best defense is employee awareness, Lazzarotti said. "It's a good idea to remind employees about this threat [and provide] guidance for avoiding these attacks."

Here are some tried-and-true cybersecurity tips:

• Scrutinize the e-mail sender. Some phishing e-mail has come from "cdc-gov.org," rather than "cdc.gov." Likewise, all legitimate e-mail from WHO will come from addresses with the domain name "who.int." You can also hover your mouse over links to see where they lead, even if the e‑mail appears to be from the right address. Remember that even legitimate e-mail can be compromised.
• Don't click links. Instead, try retyping the address in a browser window.
• Be careful with attachments, especially if you don't recognize the sender or the e-mail appears suspicious.
• Don't open unsolicited e-mail from people you don't know.
• Be aware that spelling and grammatical mistakes can be red flags.
• Be wary of generic greetings, such as "Dear Sir."
• Avoid e-mail that demands immediate action.
• Beware of requests for your personal information, passwords or login credentials.

"In the event your business is a victim of such an attack, it needs to be prepared to respond," Lazzarotti said. "This may require steps such as investigating the nature and scope of the attack, ensuring that the attackers are not still present in its systems, determining whether notification is required under applicable state law to individuals and state agencies, and helping employees whose personal information may have been compromised."

For the most up-to-date information about the coronavirus, bookmark reliable sources, such as the CDC and WHO websites or SHRM's resource page on the outbreak.