Social Engineering Takes Center Stage Amid COVID-19 Sitreps as Cyber Scams Reach Pandemic Proportions

By Jennifer Lyn Walker

With multiple COVID-19 updates per day from myriad sources, scammers are predictably using every conceivable (and even inconceivable) lure to hide their cyber attacks in plain sight. As tensions and anxiety are heightened, so are expectations and searches for situational reports and information on the virus (transmission, spread, potential cures, supplies, quarantines, restricted travel, stay at home or “lockdown” orders, financial relief, etc.) Since we live in a digital world, most people seek and obtain that information online. Malicious cyber actors also follow the online news cycle and sources and acutely understand the digital messaging organizations are disseminating. Attackers continue to use likenesses we trust with subjects we expect or that promote a sense of urgency to entice us to open phishing emails, click on fake websites/advertisements, or spread disinformation campaigns – all pretending to be trusted and authoritative sources.

The travesty of tragedies. Malicious actors are taking advantage of a rich new target set, people (notice I didn’t say computers) who are new to working remotely, including many who may be lax in their personal cybersecurity practices. These vulnerable users are now being required to work from home and connect their insecure devices to business networks. Likewise, similar to vacation and holiday seasons when cybersecurity/IT staff may not be immediately available, an uptick in cyber attacks and scams are likely to be met with less resistance and slower response during this time. So, while we may be increasing our safety at home from contracting COVID-19, we are increasing our risk posed from cyber threats. As a recent post by cybersecurity firm Cybereason aptly states, just because you’re home, doesn’t mean you’re safe.

With few exceptions – some ransomware actors/groups have reportedly stated they would not attack healthcare targets during the crisis – cyber actors are predictable and unscrupulous. For years they have leveraged numerous tragedies to wage attack campaigns. But these attacks are not high-tech strategies that target computers and networks; these attacks are often not even blocked by filters, and are subsequently delivered to inboxes, or otherwise rely on curious clickers to execute. These attacks are non-technical psychological methods designed to elicit an action based on an emotional stimulus. These attacks are socially engineered to target people. As stated by one of the world’s most notorious hackers, Kevin Mitnick (now Chief Hacking Officer at KnowBe4), it is easier to get someone to “reveal” something than it is to “hack” into their computer system.

Phone, texts, emails, websites, social media, oh-my! Miscreants are not leaving an attack vector unturned. They are creating thousands of COVID-19 related scams and malware sites per day, contacting people by phone and email, and posting disinformation and rumors on social media platforms. The ploys are the same, but the deluge is unprecedented. The lures are carefully crafted to prey on our current state of heightened emotions, specifically curiosity, anxiety, and fear. Furthermore, our tendencies to overreact, believe, and pass on everything we hear/read without validating only proliferate these scams. For a few examples of COVID-19 based scams too numerous to mention, visit Tripwire’s COVID-19 Scam Roundup and Flashpoint’s COVID-19 Key Developments.

Stop the spread. Some domain registrars have begun blocking the registration of domains with ‘coronavirus’ and ‘vaccine’ in the name, but it just isn’t enough.

  • No better time than the present. Minimize cyber risk through proactive positive cyber hygiene. Now is the time to address cyber hygiene with your staff who are remotely supporting your organization. Furthermore, with business continuity plans enacted with staff working remotely, there is no better time than the present to enhance technology monitoring and ensure that virtual private networks and other remote access systems are fully patched, as recommended by the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) in a March 6 advisory.
  • Trust but verify. With countless organizations providing daily COVID-19 status updates and situational reports, it is crucial that we trust but verify before opening any emails or other messaging, including ones that appear to be from legitimate or authoritative sources.
  • Think before you click. The scams and fraud attempts are counting on our tendencies to react and believe everything we hear/read without stopping to think or validate the information.
    • If you did not actively subscribe to receive emails from one of the “authoritative” sources such as the CDC, WHO, or other federal, state, or local government authority, they will NOT randomly email you; therefore, consider any coronavirus-themed email you receive malicious, or at the very least suspicious and delete/discard it.
    • Refrain from broadly searching the internet for coronavirus-related information. Even when visiting authoritative websites, check the links for misspellings or incorrect domains (for example, an address that should end in a “.gov” ends in .com” instead). Remember, there are no safe websites, only less risky ones.
  • Practice safe browsing. IC3 recommends, if you are looking for accurate and up-to-date information on COVID-19, the CDC has posted extensive guidance and information that is updated frequently. The best sources for authoritative information on COVID-19 are and

While it is understandable that we are all watching the physical trends and doing our part to stop the physical spread of COVID-19, it is important to remember we also play a vital role to stop the spread of and maintain social distance from the coronavirus-themed scams, malware, disinformation, and rumors.

Jennifer Lyn Walker is a cybersecurity professional with over nineteen years’ experience supporting critical infrastructure and SLTT governments. As Director, Cybersecurity Services for Gate 15 and FB-ISAO, she advises and consults on cyber threats related to homeland security for critical infrastructure and vital lifeline sectors, including WaterISAC and for commercial facilities. She is experienced in malware analysis, threat assessments, cyber threat intelligence, compliance, and cybersecurity awareness.

Our team includes security updates in our free daily paper, the Gate 15 SUN., which presently includes abundant updates on the impacts and threats associated with the ongoing COVID-19 pandemic.