US Secret Service warns that coronavirus email scams are on the rise

Key Points
  • The Secret Service warned corporate America about fraudulent emails related to COVID-19 that contain malicious attachments in an alert this week.
  • The attacks may imitate companies or government agencies that employees expect to hear from.
  • Employees may also be targeted with text messages about coronavirus, according to Akamai.
  • Another malicious attack is targeting employees on executive teams and in finance by pretending to be an email from the CEO, according to Menlo Security.
U.S. Secret Service warns of stimulus relief scams
U.S. Secret Service warns of stimulus relief scams

Companies throughout the country trying to keep employees informed about the coronavirus are facing another threat, in the form of malicious emails, authorities say.

In a U.S. Secret Service alert sent this week to law enforcement and banking officials, the agency warns corporate America about fraudulent emails that contain malicious attachments.

"During the coronavirus outbreak, many companies and organizations have sent emails containing COVID-19 updates to their customers to make them aware of their current response and status. As these types of emails have now become increasingly frequent, criminals have started to use this familiarity to their advantage," the alert, obtained by CNBC, said.

The agency said in the alert that it is investigating attempts in which the malicious email attachments would allow attackers to remotely install malware on computers to "potentially harvest credentials, install keyloggers or lock down the system with ransomware."

The email attachment is usually a Microsoft Office or WordPad File, the alert said.

"However, it is always possible that different variations exist, or the attack vectors will evolve. Corporations should be aware they are being targeted, with the attackers potentially posing as a vendor, member of the supply chain, or other familiar entities that would not seem out of place," the alert said.

Another version of this attack, the alert said, is an email supposedly from the U.S. Department of Health and Human Services that targets potential supplier companies by requesting they provide any medical protective equipment from a price list with the attachment containing malware. In most instances, "the email signature blocks used the identity of a legitimate employee. Keep in mind that typically, legitimate COVID-19 response emails have a message only in the body of the email and do not contain attachments."

These attacks are the latest in a flood of coronavirus-related scams, according to authorities and consumer watchdogs.

This text message is actually scam, according to Akamai.
Source: Akamai

For example, researchers at Akamai, which monitors and builds website defenses for companies, said on Thursday that they uncovered phishing attacks that start with a text message that is supposedly related to COVID-19 news, government updates or health-related products and services.

But "once the victim clicks the link, they're directed to a domain and forwarded to another spoofing one of several well-known brands. Some of the brands being abused to target potential victims include Microsoft, Orange France and eBay," according to a post on Akamai's website.

A fake website used to harvest credentials in a cyberattack related to Covid-19.
Source: Akamai

Akamai researchers said criminals gain trust by pretending to be an insurance company, bank or trusted brand, hoping that victims open emails with malicious links that access sensitive personal information.

This attachment was found in malicious emails pretending to be from the CEO. If the link was clicked on, employees were directed to a Microsoft page that looked real and eventually asked to enter their username and password, which was stolen.
Source: Menlo Security

And Menlo Security, a Palo Alto-based cybersecurity company, said a recent attack on hundreds of companies stole login credentials by pretending to be an email from the CEO communicating critical COVID-19 information. The senders, who targeted key employees on the companies' executive and finance teams, created personalized emails and copied the header, footer and general e-mail layout. Inside the body of the email was an attachment that contained a shortened URL. If employees clicked on the link, they were directed to a Microsoft login page that looked real but was stealing their username and password.

This is a fake Microsoft page used to steal credentials.
Source: Menlo Security

Menlo Security found that between Feb. 25 and March 25, there was a 32 times increase in the number of daily successful attacks, including a surge on March 11, the day the World Health Organization declared COVID-19 a pandemic.

Please email tips to