COVID-19 has offered hackers a whole new set of schemes for their phishing attacks, and 2020 was a record year for phishing. More than 60,000 phishing websites were reported in March 2020, and by mid-April 2020, Google’s Threat Analysis Group reported 18 million COVID-19-themed malware and phishing emails per day. What’s even more unfortunate, Security Boulevard’s blog reports, “97% of the users are unable to recognize a sophisticated phishing email.”

What once were simply email requests, often with laughable grammar and spelling, have morphed into a variety of sophisticated attacks. Among the specialized types, spear phishing targets individuals or specific groups such as a company’s system administrators. Whaling targets the biggest fish in the tank, CEOs and CFOs. Smishing uses text messaging (SMS), and vishing uses voice calls instead of email.

Trying to keep up with the evil geniuses is difficult. Consider this new strategy for hiding the malware in a phishing attack. ITProPortal reports, “In a display of bewildering creativity, cybercriminals have started using Morse code to conceal password-stealing malware.” The dots and dashes of the code don’t appear in the message. The email has an HTML attachment that looks like an Excel invoice, but when the victim clicks the file, it opens a browser that displays something that looks like Excel with a pop-up asking for their Microsoft Office password. Normally, most email security would flag the document, but “the script in the HTML file is written in Morse code. Further down, another script calls a decodeMorse() function that decodes the code...and then another script that decodes it into two JavaScript tags.” The tags get displayed on the screen, and the reader can click on them, surrendering his or her personal password. ITProPortal says that 11 companies have been targeted so far by this Morse code hack.


The most effective phishing emails are carefully designed to look authentic and sometimes create fear over a matter falsely created by the attacker. A panic response is ideal because it bypasses both thought and suspicion.

In a recent blog posting, the Cupertino, Calif., cybersecurity company Armorblox examined examples of tailored COVID phishing attacks. Here are three of them:

  1. IRS COVID relief phishing: The subject in the email was “IRS Covid Relief Fund Update,” and it claimed to have an important document about your relief fund check. When you clicked on the link, you were presented a SharePoint form that asked for personal information—Social Security number, driver’s license number, and tax numbers. The SharePoint page was legitimate, and email security filters didn’t block it. The page belonged to an employee of the Reproductive Medicine Associates of Connecticut, which Armorblox said was likely compromised by the attackers. The page has since been taken down.
  2. IMF COVID compensation scam: Similar to the IRS scam, this attack used an email with the subject line, “Re: IMF Compensation/REF27453.” The body read, “You have been shortlisted for the 2020 IMF COVID-19 Compensation, reply for more details.”

This time, the International Money Fund is cited. Instead of a link, a request is made for an email reply that bypasses email security filters that might catch and block unknown suspicious links. The attackers added a fake email thread of some 125 other beneficiaries who are sharing your good fortune. Some clues about authenticity that might be overlooked are grammatical errors and misspellings and a “reply-to” address that’s different from the “from” address. The errors are: “I understand these is your work email” and “You should proceed and effect further communication towards there compensation rewards (those on the thread).”

  1. COVID test results scam: This email claims to be an automated message from a doctor’s office with your test results. The email body reassures the victims by including a fake password/PIN that will allow only them to see the results when they click on its link. When they do, however, they’re asked to “update” their information, and a malware-infected RAR (compressed) file is downloaded onto their computer.

Armorblox ends the review of the phishing emails with some advice. Set up two-factor authentication on all personal and business accounts, and subject questionable emails to careful scrutiny. When unsure, verify via phone call or text.

About the Authors