Scammers Tap COVID-19 Fear

By: Ken VanAllen, Senior Consultant at Sikich

And just like that, we were all reminded of how quickly everything can change. COVID-19, the coronavirus disease caused by the SARS-CoV-2 virus, has impacted the lives of almost everyone in the country and the world. However, some things never change, like the danger of phishing and clickbait attacks. Millions of us are hunkered down in our homes and distracted by the news, the daily changing economic landscape, the kids, and what for many is a new way of working from home. All of these factors make for a target-rich environment for online scammers.

Phishing schemes feature emails that are carefully crafted to mimic those sent out by banks, service providers like Amazon or Netflix, or employers, and are designed to trick recipients into divulging information that can be used to compromise their accounts. Clickbait scams present the unwary with leading information, sometimes true, in order to get a web user to navigate to a site that either gathers sensitive information or downloads a malware payload in an attempt to take control over a computer or the applications running on it.

Preying on COVID-19 Fear

Of course, attackers are not taking a break during this crisis. On the contrary, they are working overtime! That’s because the primary tool in the online criminal’s toolbox is fear. Fear is the ultimate distraction. Human beings are hardwired to respond to fear automatically, and this instinctual response has to be trained out of us. Cybercriminals prey on this vulnerability by getting our attention—telling us something dire will happen without immediate action.

We’ve all seen emails with messages like:

“…your account has been suspended for suspicious activity and will be permanently disabled in 24 hours unless you review the activity and reactivate your account. To reactivate your account, visit our website at…” 

“…your car payment is more than 90 days overdue. If we do not hear from you immediately, we will be forced to start repossession actions against you…” 

“…click here to learn more about how you can protect your family from online predators…” 

These messages all take on the same form:

  • Lead the reader to believe that something bad is about to happen or has already happened.
  • Prompt the reader for immediate action (lest things get even worse).
  • Steal information or download a malware payload (or both).

The entire process is designed to induce action before the user has a chance to question the validity of the message or consequences of their actions.

COVID-19 Scams

COVID-19 presents scammers with the opportunity of a lifetime. Not in at least a generation have so many people been in such a panic. This fact is not lost on attackers. Examples of scams already reported include:

  • Attempts to sell bogus COVID-19 cures and preventative treatments;
  • Work-from-home scams targeting the newly unemployed;
  • Investment scams directed at those seeking to protect their life savings from market volatility; and
  • Malware sites purporting to fast track payment of government relief money.

At times like these, we should all be on heightened alert for phishing and clickbait scams with COVID-19 themes. Take the opportunity to remind your staff and associates to maintain a healthy skepticism:

  • Check the sender and sending address on every email.
  • Don’t click on anything until you have validated the links and know them to be to trusted sites.
  • Watch for grammatical errors. Many scam communications are created by non-native speakers.
  • If you are unsure if an email or web link is safe, call your help desk for further assistance.

Consider taking advantage of a slower work environment or downtime to provide extra training to employees.

Things are already stressful enough. Don’t make them worse by falling for well-timed social engineering attacks and COVID-19 scammers.


Ken VanAllen is a Senior Consultant at Sikich skilled in IT and security strategy, software development and life cycle management, risk management, compliance assessments, and business continuity planning. In addition to the Payment Card Industry Data Security Standard, Ken is well versed in private and government security standards, including the National Institute of Standards and Technology 800 series and the International Organization for Standardization 27000 series. His expansive skill set, and his experience working in a diverse set of organizations, allows him to offer a unique perspective to clients as they work to implement security practices and controls. Ken has a Bachelor of Science degree in Computer Science and is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Payment Card Industry Qualified Security Assessor (QSA) and Qualified PIN Assessor (QPA).