FBI warns of COVID-19 fraud and phishing schemes

Quick summary

On 20 March 2020, the FBI's Internet Crime Complaint Center (IC3) published a public service announcement warning of dramatically increased COVID-19-related fraud and cybercrime. The PSA documented phishing campaigns with pandemic themes, fraudulent charity schemes, counterfeit medical equipment sales, and malware delivered through fake telework and videoconference offers, urging organizations and individuals to heighten scrutiny of pandemic-related communications.

Fraud Scheme Categories

The IC3 identified multiple fraud categories exploiting pandemic fears and disruption:

• Phishing campaigns: Emails impersonating CDC, WHO, and health authorities containing malicious attachments or credential harvesting links, often using subject lines about safety guidelines, infection maps, or stimulus payments.
• Fake charity schemes: Fraudulent charitable organizations soliciting donations for pandemic relief, vaccine research, or healthcare worker support, with funds going directly to criminals.
• Counterfeit medical products: Sales of fake N95 masks, hand sanitizer, testing kits, and treatments through websites and online marketplaces, often requiring upfront payment for products never delivered.
• Investment fraud: Scams promoting stocks in companies supposedly developing COVID-19 treatments or vaccines, using pump-and-dump schemes.
• Business email compromise: Vendor impersonation and invoice redirection schemes using pandemic supply chain disruptions as pretexts.
• Telework software scams: Fake offers for remote work tools, VPN software, or videoconferencing applications that actually deliver malware.

Phishing Tactics and Techniques

Threat actors rapidly adapted existing phishing infrastructure for pandemic themes:

• Authority impersonation: Emails appearing to come from CDC, WHO, health departments, or employers using official logos and formatting.
• Fear-based urgency: Subject lines warning of nearby infections, mandatory health screenings, or economic impacts requiring immediate action.
• Malicious attachments: Documents claiming to contain safety guidelines, infection statistics, or work-from-home policies that actually contain malware.
• Credential harvesting: Links to fake login pages for health portals, corporate VPNs, or government benefit sites designed to steal usernames and passwords.
• Domain spoofing: Newly registered domains containing COVID-19 keywords designed to appear legitimate at first glance.

Criminal Actor Adaptation

The IC3 observed rapid criminal adaptation to pandemic conditions:

• Speed of pivot: Existing criminal operations rebranded phishing kits and malware campaigns with COVID-19 themes within days of pandemic declaration.
• Scale increase: The volume of pandemic-themed malicious activity far exceeded typical thematic campaign spikes observed during other events.
• Target expansion: Both enterprise and consumer targets faced elevated risk as pandemic affected all aspects of work and personal life.
• Exploitation of confusion: Criminals exploited the general uncertainty and fear surrounding the pandemic to increase social engineering effectiveness.

Enterprise Security Implications

Organizations faced elevated risk across multiple vectors:

• Remote work transition: Rapid deployment of VPNs, collaboration tools, and remote access capabilities created new attack surface often without adequate security review.
• Shadow IT: Employees installing unauthorized applications to support remote work introduced unvetted software into environments.
• Supply chain pressure: Urgent need for personal protective equipment and sanitization supplies made procurement teams vulnerable to counterfeit vendor schemes.
• Reduced oversight: Distributed workforces complicated security monitoring, incident response, and user support.
• Personal device usage: Bring-your-own-device policies expanded as organizations scrambled to equip remote workers.

Recommended Defensive Measures

IC3 and cybersecurity professionals recommended multiple defensive actions:

• Email security improvement: Deploy or tighten email authentication (DMARC, DKIM, SPF), implement sandboxing for attachments, and improve URL filtering tuned to COVID-19 keywords and newly registered domains.
• User awareness: Conduct rapid awareness campaigns about pandemic-themed phishing, verification of donation requests, and reporting procedures for suspicious messages.
• Vendor verification: Validate new suppliers for PPE or remote work equipment through established procurement channels, requiring purchase orders and verified contacts before payment.
• Payment controls: Implement improved verification for payment changes, particularly wire transfers and vendor payment detail modifications.
• Access monitoring: Log and monitor VPN, conferencing platform, and remote desktop access for unusual geolocation, timing, or brute-force patterns.

Reporting and Law Enforcement Coordination

IC3 emphasized the importance of incident reporting:

• IC3 reporting: Organizations and individuals experiencing fraud should report to IC3 at ic3.gov with details about the scheme, communications, and any financial losses.
• Campaign intelligence: Reported incidents help law enforcement track campaigns, identify criminal infrastructure, and issue timely warnings.
• Financial recovery: Quick reporting of wire fraud improves chances of recovering funds before they are moved to criminal-controlled accounts.
• Trend analysis: Aggregate reporting enables IC3 to identify emerging schemes and warn potential victims.

Financial Fraud Indicators

If you are affected, watch for indicators of COVID-19-related financial fraud:

• Unsolicited contacts claiming to represent charitable organizations or government programs
• Requests for unusual payment methods including gift cards, wire transfers, or cryptocurrency
• Pressure for immediate payment without normal verification processes
• Vendors demanding full payment before delivery for high-demand items
• Investment opportunities claiming guaranteed returns from pandemic-related developments

Technical Indicators

Your security team should monitor for technical indicators of compromise:

• Newly registered domains containing COVID-19, coronavirus, pandemic, or relief keywords
• Emails with pandemic-themed subject lines from unfamiliar senders
• Attachments named for safety guidelines, infection maps, or policy documents
• Links to credential harvesting pages mimicking health organizations or government sites
• Malware samples with pandemic-themed filenames or lure documents

Final assessment

The FBI IC3 PSA documented an unprecedented surge in cybercrime exploiting the COVID-19 pandemic. Organizations must recognize that threat actors will continue exploiting pandemic themes as long as they remain effective, requiring sustained vigilance in email security, user awareness, and vendor verification. The rapid criminal adaptation observed during the initial pandemic response shows the need for flexible security programs capable of responding to emerging threat themes.

More on this topic

Further reading from our research library.

Cybersecurity · Credibility 73/100 · April 8, 2020

COVID-19 phishing and malware surge

CISA Alert AA20-099A documents how COVID-19-themed phishing, SMS lures, and remote-work exploits are hammering enterprises, urging security teams to double down on MFA, telework hygiene, and IOC monitoring.

Cybersecurity · Credibility 73/100 · April 22, 2020

DOJ, FBI, and Secret Service cut down hundreds of COVID-19 scam domains

Justice Department, FBI, Secret Service, and domain registrars jointly dismantled hundreds of pandemic-themed scam sites, giving CISOs a roadmap for takedown escalation, cross-sector intelligence sharing, and remote-work…

Cybersecurity · Credibility 88/100 · January 29, 2020

ENISA Threat Landscape 2019 report

ENISA published its 2019 Threat Landscape report highlighting top attack vectors like phishing, ransomware, and supply-chain compromises with recommendations for operators and policymakers. The analysis provides an…

Cybersecurity · Credibility 90/100 · September 19, 2023

CISA Launches Secure Our World Cyber Awareness Campaign — September 19, 2023

CISA’s Secure Our World awareness campaign, launched 19 September 2023, sets four behavioral pillars that boards must fold into governance metrics while security, HR, and privacy teams execute training, technology, and…

Cybersecurity · Credibility 94/100 · January 31, 2026

Ransomware Groups Adopt AI-Generated Phishing and Living-off-the-Land Evasion at Scale

Multiple ransomware-as-a-service operations have integrated large language models into their attack chains, producing highly convincing phishing campaigns tailored to individual targets and automating post-exploitation…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

March 20, 2020

Coverage pillar

Cybersecurity

Source credibility

73/100 — medium confidence

Topics

IC3 · COVID-19 scams · phishing

Sources cited

3 sources (ic3.gov, iso.org)

Reading time

5 min

Source material

1. FBI Sees Rise in Fraud Schemes Related to the Coronavirus (COVID-19) Pandemic — FBI IC3
2. FBI Anticipates Rise in Business Email Compromise Schemes Related to the COVID-19 Pandemic — FBI IC3
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization