Home of internet privacy

How to spot Covid-19 phishing and ransomware attacks

NOTE: This post was originally published on April 7, 2020

Spring is normally the time when tax-related phishing scams spike, spurious emails might promise tax rebates to unwitting recipients. This year, the seasonal scam has taken an insidious turn.

Phishing attacks relating to Covid-19 shot up by 667% in March compared to February. These attacks have taken different forms, from phishing emails that claim the recipient has been in close contact with someone who has Covid-19 to malicious apps and documents that purportedly have information about the pandemic but install malware on your device.

Hospitals, which are no stranger to ransomware, have also been targeted, which has forced at least one hospital to shut down and relocate patients. Worse yet, the hospital, Brno University Hospital in the Czech Republic, was carrying out Covid-19 testing.

It seems like these phishers have hit a real sweet spot. People staying and working at home means they might not be working under the same online security protections usually provided by their office network. Compounding this with the fear, stress, and uncertainty the pandemic has brought means that people are also more prone to falling victim to these attacks.

How to spot a phishing attack: a quick checklist

We’ve previously written about how to defend against phishing attacks, but here’s a quick checklist of things to look out for in an email that you suspect is a phishing scam.

If you can answer yes to any of these questions, the email could be a phishing attempt. If something seems off, it probably is. Mark it as spam and delete it from your inbox. Do not reply, click any links or download and open attachments.

[Learn more about protecting your privacy and security online. Sign up for the ExpressVPN blog newsletter.]

Be especially careful with companies that you interact with regularly—brand impersonators and imposters are rampant, so err on the side of caution. It can feel tedious, but tedium is better than the costly alternative. When in doubt, find a secondary channel to verify the authenticity of the email, such as by phone, social media or instant messenger.

These scams don’t always take the form of an email, if you receive a text message or a shared link from a friend or family member that’s encouraging you to download a new coronavirus app, or to donate to a charity that only accepts Bitcoin, Venmo or Paypal, you should refrain from replying.

Going directly to the source of what you’re looking for, be it a dashboard showing the number of cases, or a website containing the latest guidance from your country’s respective health authority, is one way to avoid clicking on malicious email links.