Skip to content

Trending tags

Coronavirus spam update: watch out for these emails

Adam Pilkey

30.03.20 3 min. read


F-Secure’s Tactical Defense Unit continues to see threat actors use coronavirus spam to compromise people and organizations.

The unit, which is actively monitoring cyber crime activity related to the coronavirus, observed the campaigns late last week. The campaigns are largely consistent with the coronavirus email attack trends F-Secure previously identified, and reflect how the discussion around the pandemic is evolving.

A notable development with these campaigns is the emphasis on managing the economic impacts of the pandemic, rather than managing symptoms or the virus’ spread.

“Social engineering techniques seem to be moving more in a direction to appeal more toward remote workers. Business continuity plans, service disruptions, and lockdowns are all information people need to do their jobs, making them effective lures for people working from home,” explains F-Secure Researcher Maria Patricia Revilla Dacuno. “People should be careful about clicking on links or opening attachments when opening messages about this, especially if it’s from an unexpected source.”

Here’s two new campaigns people should be on the lookout for.



This spam campaign poses as information that the recipient needs to know about their company’s business continuity operations. The attachment, described as “necessary information” infects the user’s device with Lokibot – malware that steals email credentials and passwords from browsers, FTP clients and CryptoCoin wallets.


This spam campaign dangles information about a lockdown to entice users into opening the email. The email’s text describes a coronavirus-related expense the recipient will be charged for. The attached word document is actually a vehicle for AgentTesla – malware that steals login credentials from browsers.

Spam is an incredibly common source of malware. It accounted for 43% of malware blocked by F-Secure’s endpoint protection products in 2019 (more info on that in this report).

Anti-spam and phishing advice

Given the prevalence of email attacks, it’s important to keep a few basic security tips in mind:

  • Always check the source of the email and avoid clicking on links or opening attachments from unknown or untrusted senders.
  • Check that the link destination is legitimate before you click on it. You can do this on a desktop by hovering your mouse over the link.
  • Look for mistakes. Opportunistic scammers rarely invest in proofreading, so a poorly written email gives you good reason to be suspicious.
  • Learn about tactics used by attackers. Email scams will often use pressure tactics or other social engineering tricks to try and lure people into clicking, so keep your guard up when emails compel you to click.

According to F-Secure’s Matthew Connor, a service delivery manager for F-Secure Phishd – a security awareness training service – companies can help their employees manage these risks by being careful about how they handle internal communications about the coronavirus.

“Employers can help reduce the risk to their employees by sending clear, concise, well-organized communication that’s tailored to the specifics of their workforce and avoids the kind of language used in scam emails,” says Matthew. “I would also advise employers to highlight the risk of COVID-19 related scams to their workforce and encourage them to use extra care with any emails on the subject that they receive. Any employee receiving an email they don’t 100% trust, should report it or at very least speak to their colleagues about it, ideally on a separate platform such as Teams or Slack”

If you need more information on phishing attacks, you can check out this episode of F-Secure’s Cyber Security Sauna podcast. More info on handling  coronavirus-related infosec pains is available here.

Adam Pilkey

30.03.20 3 min. read


Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.