Security researchers have identified multiple phishing scams that aim to capitalize on people's fear of COVID-19, the disease caused by the Wuhan coronavirus.
Scammers pose as authorities like the Centers for Disease Control or World Health Organization in order to trick people into handing over their personal information.
The WHO has released an advisory warning people to avoid fraudulent emails about coronavirus.
As the death toll from the coronavirus outbreak continues to rise, online scammers are using email phishing schemes in an attempt to profit on people's confusion and fear surrounding the virus.
Security researchers have identified multiple phishing scams in which attackers pose as authorities like the Centers for Disease Control and Prevention or the World Health Organization in emails, offering information about the virus in order to trick victims into downloading malicious software or handing over their login credentials.
While the coronavirus outbreak constitutes a world health crisis, experts have warned against unnecessary panic, arguing that misinformation is causing an overblown response to the disease.
A scam identified by security firm Trustwave Holdings spreads false claims that the virus has spread to victims' home cities, then prompts users to enter their email passwords in order to read more information. Another scam teases similar information, then uses malicious links to direct victims to a fake Microsoft Outlook portal that harvests credentials.
The World Health Organization released an advisory last week urging people to stay on the lookout for phishing scams related to coronavirus. A CDC spokesperson did not immediately respond to Business Insider's request for comment.
Here's how the scams work, and the steps the WHO recommends to avoid falling for them.
Check the sender's email domain and see if it matches the website of the organization they say they work for. Then, check the URLs included in the email.
In this scam documented by Trustwave, the scammer purports to be from the CDC, but uses an email from a domain other than cdc.gov and includes misleading links that lead to a different site when clicked.
Don't trust login pages with unfamiliar URLs.
The malicious link in this scam directs users to a fake Microsoft Outlook login screen to steal their credentials — the unfamiliar URL is a tell.
When in doubt, copy and paste URLs into your browser rather than clicking hyperlinks directly.
In this case, when the misleading URL is copied and pasted from the email instead of clicked, it shows that the page doesn't actually exist.
Don't give in to scams that make you feel pressured to act quickly.
Scammers highlight the language of emergencies to make victims act more quickly. The WHO has urged people to resist giving in to panic and to think twice about whether an email looks legitimate. If the information is supposedly public, there's no reason to submit login credentials in order to see it.
If you already handed over sensitive information, change your passwords now.
Don't panic if you believe you've already given your login credentials to a fraudster — change all your passwords to online accounts now, and set up multifactor authentication whenever possible.