News & Resources

Publications & Media

COVID-19 Exploitations: Malicious Cyber Actors Strike with Pandemic-Related Scams

Health & Life Sciences Alert Meghan C. O'Connor, Sarah A. Erdmann

The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) shared an alert on April 9, 2020, issued a day earlier by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC), addressing exploitations by cybercriminals of the current coronavirus disease (COVID-19).

OCR shared this alert less than a week after reporting about an impostor posing as an OCR investigator in an attempt to obtain protected health information, which is summarized here. This comes alongside increased public reports of malicious attacks on health care entities. Earlier this month, Microsoft issued a warning to health care entities of the increased risk to the industry from threat actors taking advantage of the COVID-19 pandemic with ransomware attacks. According to Microsoft, “[D]uring this time of crisis, as organizations have moved to a remote workforce, ransomware operators have found a practical target: network devices like gateway and virtual private network (VPN) appliances. Unfortunately, one sector that’s particularly exposed to these attacks is healthcare.”

OCR’s April 9 alert summarizes the attacks being used to exploit COVID-19. High-level takeaways include:

  • Advanced persistent threat (APT) groups are masquerading as trusted entities, like the OCR impersonator described above to send COVID-19 related phishing messages. These cybercriminals may be using “coronavirus” or “COVID-19” in the subject line of an email or even register new domain names containing words related to coronavirus or COVID-19 to prey on individual’s curiosity and concern about the pandemic.
  • These phishing attempts are being sent via email but also text messages (SMS) and through malicious applications. An example provided by OCR is a malicious Android app that states it can provide a real-time coronavirus outbreak tracker but instead tricks the user into providing administrative access to install “CovidLock” ransomware on the device.
  • Cybercriminals are deploying a variety of ransomware and other malware, in most cases using an email that persuades the victim to open an attachment or download a malicious file from a linked website. Upon opening, the malware is executed, compromising the individual’s device.
  • Since many organizations have moved their workforce to teleworking, new networks—VPNs and IT infrastructure—are being used, which has led cybercriminals to exploit vulnerabilities of remote working tools and software. An example provided by OCR is that attackers have been able to hijack teleconferences that have been set up without security controls (e.g., passwords) or with unpatched versions of the communications platform software.

The OCR alert makes clear that cybercriminals are targeting individuals, small and medium enterprises, and large organizations—no one is immune.

We discuss additional privacy and security considerations for an increased remote workforce here. The alert also outlines practical mitigation steps that organizations and individuals can take to best protect themselves and reduce the risk of being victimized by these COVID-19 related attacks:

  • Individuals and organizations should remain vigilant and regularly review guidance and alerts published by trusted sources.
  • Be alert for phishing emails and consider the following in assessing the email’s validity:
    • Authority – Is the sender claiming to be from someone official (e.g., your bank or doctor, a lawyer, a government agency)? Criminals often pretend to be important people or organizations to trick you into doing what they want.
    • Urgency – Are you told you have a limited time to respond (e.g., in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.
    • Emotion – Does the message make you panic, fearful, hopeful, or curious? Criminals often use threatening language, make false claims of support, or attempt to tease you into wanting to find out more.
    • Scarcity – Is the message offering something in short supply (e.g., concert tickets, money, or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.
  • Organizations should revisit their security incident response plans and be prepared for these attacks if they are successful. Planning now will help mitigate damage caused by such attacks.
  • In using online meeting platforms, do not make the meetings public, but instead use passwords or a waiting room feature where you control who is admitted. Do not share a link to a meeting publicly. Ensure that you are using the updated version of remote access/meeting applications. Also, ensure telework policies address requirements for physical and information security.

Find Answers to COVID-19 Issues, Impacts and Recommendations from Quarles & Brady.


Quarles & Brady’s Health Law Team is continuously monitoring the impact of COVID-19 on the health care industry, and we are here to help. For more information, contact your Quarles & Brady attorney or:

We have updated our Privacy Policy. Please click here to view our new policy.