COVID-19 Scams and False Rumors

Scams About Stimulus Checks

  • Scams may use phrases such as “stimulus check” or “stimulus payment.” The official term is economic impact payment.
  • Scammers may ask you to sign over your payment in exchange for additional funds.
  • Scammers may contact you by phone, email or text message asking to verify personal or banking information to speed up your economic impact payment. The IRS will not call you asking you to verify financial information to expedite a payment.
  • Scammers may mail you a fraudulent check and ask you to call or verify information online in order to cash it.

False Rumors

There are many false statements, sham treatments and damaging rumors about COVID-19 and its treatment. Learn what's true and what's not from the Federal Emergency Management Agency (FEMA).

CISA logoScams

The United States Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), and the United Kingdom’s National Cyber Security Centre (NCSC) put out a joint statement on April 8 about increasing attacks worldwide.

The following information is based on their statement, edited for simplicity, and to add context.

In Brief:

Beware of emails or text messages:

  • with subjects containing COVID-19, Coronavirus, etc.
  • from someone who sounds important, like the World Health Organization, or a Doctor
  • they may contain a link to a malicious website, or a malicious attachment

Beware of apps:

  • that purport to give COVID-19 information
  • they may download malicious software to your tablet or phone

Make sure your teleworking software:

  • has the latest updates
  • is configured properly to ensure the highest level of security

See a video from the Middlesex District Attorney


Cybercriminals are using the pandemic for commercial gain, deploying a variety of ransomware and other malware.

Malicious cyber actors rely on basic social engineering methods to entice a user to carry out a specific action. These actors are taking advantage of human traits such as curiosity and concern around the coronavirus pandemic to get users to click on links, open attachments, and provide personal information. They do this by sending malicious, or "phishing", emails or text messages, or creating malicious apps.

Phishing emails

NCSC's top tips for spotting a phishing email:

  • Authority – Is the sender claiming to be from someone official (e.g., your bank or doctor, a lawyer, a government agency)? Criminals often pretend to be important people or organizations to trick you into doing what they want.
  • Urgency — Are you told you have a limited time to respond (e.g., in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.
  • Emotion — Does the message make you panic, fearful, hopeful, or curious? Criminals often use threatening language, make false claims of support, or attempt to tease you into wanting to find out more.
  • Scarcity — Is the message offering something in short supply (e.g., concert tickets, money, or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.

Examples of phishing email subject lines include:

  • 2020 Coronavirus Updates
  • Coronavirus Updates,
  • 2019-nCov: New confirmed cases in your City
  • 2019-nCov: Coronavirus outbreak in your city (Emergency)

They may appear to be from an authority, such as:

  • the World Health Organization (WHO)
  • an individual with “Dr.” in their title
  • an organization’s human resources (HR) department

Malicious file attachments containing malware payloads may be named with coronavirus- or COVID-19-related themes, such as “President discusses budget savings due to coronavirus with Cabinet.rtf.”

Some emails contain a call to action, encouraging the victim to visit a website that malicious cyber actors use for stealing valuable data, such as usernames and passwords, credit card information, and other personal information.

Phishing for credential theft

If the user clicks on the hyperlink, a spoofed login webpage appears that includes a password entry form. These spoofed pages are designed to look legitimate or accurately impersonate well-known websites, such as Google or Microsoft, or government websites.

If the victim enters their password on the spoofed page, the attackers will be able to access the victim’s online accounts, such as their email inbox. This access can then be used to acquire personal or sensitive information, or to further disseminate phishing emails, using the victim’s address book.

Phishing for malware deployment

A number of threat actors have used COVID-19-related lures to deploy malware. In most cases, actors craft an email that persuades the victim to open an attachment or download a malicious file from a linked website. When the victim opens the attachment, the malware is executed, compromising the victim’s device.

For example, an email may seem to be from someone in authority, and contain an Excel spreadsheet containing a malicious macro, or a batch file which downloads and installs malicious software.

Read more from CISA about avoiding phishing attacks.

SMS Text Message Phishing

Most phishing attempts come by email but NCSC has observed some attempts to carry out phishing by other means, including text messages (SMS).

Historically, SMS phishing has often used financial incentives—including government payments and rebates (such as a tax rebate)—as part of the lure. Coronavirus-related phishing continues this financial theme, particularly in light of the economic impact of the epidemic and governments’ employment and financial support packages.

Malicious Smartphone Apps

Malicious apps may lead to a phishing website, or the downloading of malware, including ransomware.

For example, a malicious Android app purports to provide a real-time coronavirus outbreak tracker, but instead attempts to trick the user into providing administrative access to install "CovidLock" ransomware on their device.

(Both the Google Play Store and the Apple Store test and verify apps before allowing them to be published, but that is not a guarantee of safety.)

Exploitation of New Teleworking Infrastructure

Many organizations have rapidly deployed new networks, including VPNs and related IT infrastructure, to shift their entire workforce to teleworking.

Malicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software.

Malicious actors have taken advantage of known vulnerabilities in software from:

  • Citrix
  • Pulse Secure
  • Fortinet
  • Palo Alto

Make sure that the teleworking software you are using has the latest updates.

Malicious cyber actors are also seeking to exploit the increased use of popular communications platforms—such as Zoom or Microsoft Teams—by sending phishing emails that include malicious files with names such as “zoom-us-zoom_##########.exe” and “microsoft-teams_V#mu#D_##########.exe”

Tips for defending against online meeting hijacking

  • Do not make meetings public. Instead, require a meeting password or use the waiting room feature and control the admittance of guests.
  • Do not share a link to a meeting on an unrestricted publicly available social media post. Provide the link directly to specific people.
  • Manage screensharing options. Change screensharing to “Host Only.”
  • Ensure users are using the updated version of remote access/meeting applications.
  • Ensure telework policies address requirements for physical and information security.

See CISA alert about VPN security

Information from the Middlesex County District Attorney