How to spot COVID‑19 online scams

The COVID-19 pandemic created new opportunities for bad actors to trick users into revealing their personal information or clicking on malicious links or attachments, unwittingly downloading malware to their computers. These phishing attacks and scams “use both fear and financial incentives to create urgency to try to prompt users to respond,” Google claims.

Common types of scams

Scammers send malicious email messages that ask you either to open an attachment or click on an embedded link. These types of scams are generally called phishing attacks. The attachment might seem to contain pertinent information regarding the COVID-19 pandemic, but it would, most likely, download malicious software onto your device. This software would enable cybercriminals to take control of your device, access personal and financial information and even worse, lock up your data and ask a ransom for it.

Falsely representing health organizations

Bad actors may pretend to be health authorities, such as the WHO or CDC, may offer cures, tests or other COVID‑19 information.

Fake donations

The number of requests for COVID-19 donations has increased. Nonprofits, hospitals and other organizations that ask for money should be checked carefully.

Websites “selling” health products

Sites might claim to sell hand sanitizers, face masks, toilet paper or other in-demand products that would never arrive.

Fraudulent financial offers

Bad actors pose as banks, investors or debt collectors, with “special” offers designed to steal personal and financial information.

Falsely representing government authorities

Some scams claim to issue updates and payments on behalf of the IRS or local government tax authority.

How to avoid from being scammed?

You can follow these simple suggestions to stay protected and avoid falling victim to these phishing attacks.

Take time to reflect on a request for your personal information and whether the request is appropriate. Do not open unsolicited email from people unfamiliar to you or click on suspicious attachments, which you did not expect.
Double-check the email address. Check the sender’s name, email address and whether the email domain – the part after the @ symbol – matches the organization that the sender claims to be from. If not, it is probably a phishing attempt.

Visit websites by typing the domain name yourself. Most businesses use encryption – their address starts with https – and if you receive a certificate error while browsing, consider it as a warning sign that something is not right with the website.

Pay attention to wording, tone and terminology. Bad actors could scam a specific person via spear phishing using the receiver’s full name and other personal details. Check for terms and language that is usually expected in the type of email you receive.

Never supply any personal or financial information, and passwords to anyone via email. Emails are considered insecure ways to send data. Remember, that most institutions or companies would never ask for your password or other key personal information.

Check links before clicking on them. See your emails in plain text to check for the link address to see its destination. If it is not the same as what appears in the email, it is probably a phishing attempt.

Look out for spelling and grammatical mistakes. If you spot any spelling, punctuation and/or grammar errors, it could be a phishing email.

Be careful what your download. Some links might automatically download files after you click on them. If this happens, stop the download process immediately, especially if it’s unexpected, and delete the downloaded files.

Stay away of emails that insist you act now. Phishing emails often try to create a sense of urgency or demand immediate action.

Be wary of third-party sources spreading information about COVID-19. Refer to the official websites for updates on COVID-19. Fraudulent e-mails can look like they come from a real organization but legitimate government agencies will never call you or email you directly for this information.

Keep your devices protected. Install anti-spam, anti-spyware and anti-virus software and make sure they are always up to date.

What to do if you get scammed?

In the case you do get scammed, you have to act quickly based on the type of attack. Most cyber-attacks are delivered automatically, to lots of people, hoping someone would take the bait. So, if you move fast, you might be able to save your data and accounts.

If you downloaded a file, either from an attachment or a link, your security software should generally flag it if there’s malware behind it. Just to be sure, make sure you update your antivirus and perform a full system scan. In case you don’t have any security software installed, download one and perform a scan.

If you entered your login information on a fake website, change them as soon as possible. Having two-factor authentication enabled, if supported, can be a lifesaver in these situations. 

In case you typed your banking (credit card) information, act as you would if your credit card was stolen and contact your bank immediately, no matter the hour – most banks have a 24/7 anti-fraud line. If you have access to a home banking platform, you should lock or disable your credit card first.

Get involved

The number of COVID-19 related internet scams grow day by day, and protecting ourselves against these types of attacks if both a feasible and essential step. If you receive or fall victim to a phishing attack, you should:

  • Report it to your IT department by forwarding it as an attachment
  • Delete the email and clean your computer
  • Notify the organization being spoofed in order to prevent other people from being victimized.

Learn with Attack Simulator

One of the best ways to stay protected from online cyber-attacks is to be able to identify and avoid them. We provide the tools for comprehensive security trainings, with real-life simulations, and just-in-time learning, designed to help both novices and experts improve their security awareness.