Email scammers are taking advantage of coronavirus fears to impersonate health officials and trick people into giving up personal information

In this Feb. 16, 2020, photo, runners, some wearing masks, compete in a Kumamoto castle marathon in Kumamoto city, western Japan. Organizers of the Tokyo Marathon set for March 1, 2020 are drastically reducing the number of participants out of fear of the spread of the coronavirus from China. The general public is essentially being barred from the race. (Kyodo News via AP)

Associated Press

  • Security researchers have identified multiple phishing scams that aim to capitalize on people's fear of COVID-19, the disease caused by the Wuhan coronavirus.
  • Scammers pose as authorities like the Centers for Disease Control or World Health Organization in order to trick people into handing over their personal information.
  • The WHO has released an advisory warning people to avoid fraudulent emails about coronavirus.
  • Visit Business Insider's homepage for more stories.

As the death toll from the coronavirus outbreak continues to rise, online scammers are using email phishing schemes in an attempt to profit on people's confusion and fear surrounding the virus.

Security researchers have identified multiple phishing scams in which attackers pose as authorities like the Centers for Disease Control and Prevention or the World Health Organization in emails, offering information about the virus in order to trick victims into downloading malicious software or handing over their login credentials.
Advertisement
While the coronavirus outbreak constitutes a world health crisis, experts have warned against unnecessary panic, arguing that misinformation is causing an overblown response to the disease.

A scam identified by security firm Trustwave Holdings spreads false claims that the virus has spread to victims' home cities, then prompts users to enter their email passwords in order to read more information. Another scam teases similar information, then uses malicious links to direct victims to a fake Microsoft Outlook portal that harvests credentials.

The World Health Organization released an advisory last week urging people to stay on the lookout for phishing scams related to coronavirus. A CDC spokesperson did not immediately respond to Business Insider's request for comment.
Advertisement

Here's how the scams work, and the steps the WHO recommends to avoid falling for them.

Digital Health Pro

Featured Digital Health Articles:
- Telehealth Industry: Benefits, Services & Examples
- Value-Based Care Model: Pay-for-Performance Healthcare
- Senior Care & Assisted Living Market Trends
- Smart Medical Devices: Wearable Tech in Healthcare
- AI in Healthcare
- Remote Patient Monitoring Industry: Devices & Market Trends

{{}}

Check the sender's email domain and see if it matches the website of the organization they say they work for. Then, check the URLs included in the email.

Check the sender's email domain and see if it matches the website of the organization they say they work for. Then, check the URLs included in the email.

In this scam documented by Trustwave, the scammer purports to be from the CDC, but uses an email from a domain other than cdc.gov and includes misleading links that lead to a different site when clicked.

Don't trust login pages with unfamiliar URLs.

Don't trust login pages with unfamiliar URLs.

The malicious link in this scam directs users to a fake Microsoft Outlook login screen to steal their credentials — the unfamiliar URL is a tell.

Advertisement

When in doubt, copy and paste URLs into your browser rather than clicking hyperlinks directly.

When in doubt, copy and paste URLs into your browser rather than clicking hyperlinks directly.

In this case, when the misleading URL is copied and pasted from the email instead of clicked, it shows that the page doesn't actually exist.

Don't give in to scams that make you feel pressured to act quickly.

Don't give in to scams that make you feel pressured to act quickly.

Scammers highlight the language of emergencies to make victims act more quickly. The WHO has urged people to resist giving in to panic and to think twice about whether an email looks legitimate. If the information is supposedly public, there's no reason to submit login credentials in order to see it.

Advertisement

If you already handed over sensitive information, change your passwords now.

If you already handed over sensitive information, change your passwords now.

Don't panic if you believe you've already given your login credentials to a fraudster — change all your passwords to online accounts now, and set up multifactor authentication whenever possible.