Email Security Blog

Email Phishing Alert: Don't Fall for Fake COVID-19 Laws

From health ordinances to new government benefits and programs, the pandemic has led to a wave of legislative action at the local, state and national level. Your organization has no doubt worked hard to keep up with the changes. But, while you’re doing your best to play by the rules, cybercriminals are doing their best to exploit them.

Uncertainty creates opportunity for crime. And COVID-19 has created more uncertainty than any event in recent memory. Cybercriminals all over the world are taking advantage of the situation, and many are using phishing scams to do so. COVID-19 phishing is so prevalent that Google has recorded 18 million COVID-19 malware and phishing emails per day.1 And their numbers only account for what is sent through Gmail.

While there are a wide variety of COVID-19 phishing schemes, some of the hardest to detect are the ones that claim to be about new regulations. Typically, these phishing emails tell a recipient that, due to a new law or change in an existing law, they are required to alter payment procedures or reveal sensitive data. These fake-law phishing threats are difficult to spot for two reasons.

  1. Your employees have adjusted to so many new regulations and procedures that they are unlikely to think yet another change is suspicious.
  2. The desire to obey the law can cause even the most careful employee to fall for a scam — particularly when a phishing email looks and sounds official.

Here are three of the most common fake-law phishing schemes that experts are seeing.

Fraudulent Shipping Fees

During the summer, the FBI warned businesses and consumers that cybercriminals are claiming that new COVID-19 shipping laws require new fees.2 According to the FBI, these scams include claims that the shipper is now required to:

  • Collect additional fees before delivery.
  • Collect maritime or other insurance fees after purchase.
  • Hold delivery until payment is made to a third party, such as a warehouse.

In some cases, the cybercriminal may claim that the fees are refundable. But, in all cases, if someone at your organization falls for the scam, you’ll never see the money again. And falling for the scam is more possible than you might think. That’s because, any email requesting additional shipping fees is likely to be a spoof email that seems to be from a trusted vendor.

These days, cybercriminals often research your organization — or start with a data breach — to learn who processes invoices and who your vendors are. If a vendor who’s shipped to you for years sends an email requesting COVID-19 shipping fees along with an account number for payment, your employees may not think twice about complying.

Small Business Administration Scams

The CARES Act has helped a lot of businesses survive during the pandemic. But the Small Business Administration (SBA) warns that cybercriminals are engaged in a number of phishing scams designed to illegally profit off of businesses in distress.3

In many cases, scammers are using unfamiliarity with the law to trick businesses into transferring money into fraudulent accounts, disclosing banking credentials, or paying fees on fraudulent loans. The SBA wants you to know that they:3

  • Do not initiate contact on 7a or Disaster loans or grants.
  • Do not require payment upfront or offer high-interest bridge loans.
  • Limit the fees a broker can charge a borrower to 3% for loans $50,000 or less and 2% for loans $50,000 to $1,000,000 with an additional ¼% on amounts over $1,000,000.

The SBA warns that many of the phishing emails being sent look official and include the SBA logo and other branded elements. If you’re not familiar with COVID-19 relief laws, cybercriminals can use your unfamiliarity in a phishing attack.

CDC and Health Department Scams

If you’re like most organizations, you’re paying a lot of attention to CDC guidelines and your local health department’s regulations. But cybercriminals are trying to use your desire to be safe against you.

From the outset of the pandemic, cybersecurity experts have seen phishing emails that appear to be from the CDC.4 These emails often claim to be providing urgent news, guidelines or even new regulations, which are provided as an attachment. The attachment loads malware into your system, giving hackers access to sensitive data or allowing them to stage a cyberattack.

But the CDC isn’t the only organization being spoofed. Cybercriminals are also pretending to be from local health departments.5 The most common phishing scam informs email recipients that they’ve been in contact with someone who has tested positive for COVID-19. They are required — by law, according to some phishing emails — to respond, either by paying a fee for a test of their own (which goes into a fraudulent account), providing personal data (which the criminal can then exploit) or downloading an attachment (which loads malware).

A scammer could use a CDC or contact-tracing phishing scheme to target your organization directly, but that’s not the only threat. Employees unfamiliar with COVID-19 regulations and requirements could also open personal emails on your system and inadvertently download malware.

How Can You Protect Your Organization?

Phishing can cost you money and time even if just one employee falls for one scam. But training your employees to detect every possible phishing scam isn’t feasible or affordable — particularly during the pandemic. To ensure no one in your company is taken in by a fake-law or any other phishing email, you need a robust email security solution.

That’s where INKY comes in. With INKY, you’ll have a security stack that protects you from phishing threats at every level. Unlike other email security software, INKY goes way beyond the typical use of artificial intelligence. It uses machine learning and computer vision to see like humans see, recognizing brands, logos, colors and more. But INKY can also see what humans can’t, detecting an imposter by a single misplaced pixel. An email might look like it’s from the SBC to your employees, but INKY will know it’s not. INKY can even tell if an email is not from one of your trusted senders.

INKY will also keep you and your employees informed with gentle but persistent guidance in the form of alert banners. Not only do these banners notify you of potential fraud, they help train your employees on what to watch for. IT teams love that INKY integrates seamlessly into your existing system. It’s cloud-based, platform agnostic and works on desktops as well as mobile — meaning it’s on the lookout 24/7/365 regardless of where your employees are or how they’re accessing their email.

Email security is essential to your success. Don’t allow the uncertainties surrounding the pandemic leave you vulnerable to attack. Try your personalized INKY demo today.


INKY® is the emerging hero in the war against phishing. An award-winning cloud-based email security solution, INKY® prevents the most complex phishing threats from disrupting or even immobilizing your company’s day-to-day business operations. Using computer vision, artificial intelligence, and machine learning, INKY® is the smartest investment you can make in the security of your organization. INKY® is a proud winner of the NYCx Cybersecurity Moonshot Challenge and finalist in the 2020 RSAC Innovation Sandbox Competition. Learn more about INKY® or request an online demonstration today.

1Source: https://www.blog.google/technology/safety-security/threat-analysis-group/findings-COVID-19-and-online-security-threats/

2Source: https://www.ic3.gov/media/2020/200611.aspx

3Source: https://www.sba.gov/document/report-sba-programs-scams-fraud-alerts

4Source: https://www.bloomberg.com/news/articles/2020-03-12/hackers-posing-as-cdc-who-using-coronavirus-in-phishing-attacks

5Source: https://www.npr.org/sections/health-shots/2020/08/20/903664222/how-to-tell-a-real-COVID-19-contact-tracers-call-from-a-scammers