How Internet Scammers Are Taking Advantage of the Global COVID Pandemic

By Mark Pomerleau, MCPA Public Affairs Officer

April 23, 2020

The global pandemic spurred by coronavirus has proved to be a ripe breeding ground for scammers and hackers online looking to take advantage of panic and confusion according to Brad Rhodes, Head of Cybersecurity at Zvelo.

During the inaugural Lockdown Lunch & Learn webcast April 21, Rhodes, MCPA HammerCon Co-Lead and a cyber warfare officer in the Colorado Army National Guard, provided a threat briefing of the ways actors are trying to exploit the current crisis and ways organizations can protect themselves from the activity.

The activity stems from a wide group, he said, which potentially includes state actors, non-state actors, hacktivists, and script kiddies.

Rhodes explained that since the global crisis has unfolded, there has been a significant uptick in the number of domain names registered associated with coronavirus and COVID-19. Most of these are likely not for legitimate purposes and come from domain resellers.

Initial coronavirus related domains began to appear in early January 2020. By early March, there were over 7,000 domains and over 12,000 by the end of the month alone.

Image: Brad Rhodes

With the new domain names being registered, Rhodes explained, scammers are geographically focusing them to target specific regions. These also include domains focused on the mobile device market such as

Rhodes also pointed to a trend in redirecting. While some redirecting can be for legitimate purposes, such as websites automatically redirecting to https, he indicated there are some concerning redirecting trends occurring related to suspicious coronavirus related sites. A top example includes redirecting to well-known sites that are typically whitelisted by organizations.

Threat actors in the February and March timeframe began to redirect to whitelisted sites in order to push their content through. An immediate red flag, Rhodes pointed out, is when a domain name redirects to something other than a known content delivery network server or a legitimate site.

Related to redirecting, another observed trend is herding. Entities are buying many similar domain names and redirecting them all to the same site. This is how people and organizations are taken advantage of, Rhodes said, because they may do an internet search related to coronavirus treatments or economic relief related to the global pandemic, click on a site and be redirected to something suspicious.

Organizations should be wary of the ages of domains as well. Many suspicious domain creations coincided with a particular event such as a significant increase in cases in a certain country.

Domain registration ("whois") data for three suspicious coronavirus-related domains. Note the creation dates.Image: Brad Rhodes

One example was, which was created around the time Congress was working on the economic stimulus bill. Rhodes added that anything associated with a “.claims” should be viewed with caution.

What should you do?

Rhodes offered a few recommendations for how to better protect yourself, your organization, and loved ones that might not be technologically savvy.

They included trusting your gut. If an email, notification, SMS text message is offering something too good to be true, it probably is.

Be cautious of filling out random forms that ask for emails as these can be good ways to gain personal information, which can then be used to generate potential passwords or identify email addresses for phishing.

Be careful about clicking on websites. While not effective on mobile devices, hover mouse cursor over links to view the actual source of the link. If the source is not the same, it might be suspicious.

Use a VPN when at home, at a coffee shop, or wherever accessing the Internet.

About the Author

Mark Pomerleau is the MCPA Public Affairs Officer (PAO) and a journalist whose work has focused on information warfare, cyber, electronic warfare, intelligence, and defense technology. His work has appeared in The Hill, The Atlantic, Defense News, C4ISRNET and Fifth Domain.