If we’re not careful, COVID-19 will be a bonanza for cybercrooks. Sources differ on whether the total amount of cybercrime has increased since the pandemic or whether the jump is just in scams that exploit people’s fears of it. Either way, nonprofits must navigate these new challenges, often without the funds to mount a strong IT defense. The problem is compounded because so many staff members are working from home, often on their personal computers. Experts offer advice that can help.

So what does “phishing” mean, anyway?
Let’s start by defining our terms:

  • Phishing: Cybercriminals disguise an email so it looks like it’s from a legitimate organization. It asks you to click on a link or download an attachment. If you do, you download malware that “could allow cybercriminals to take control of your computer, log your keystrokes, or access your personal information and financial data … ” according to internet security company External LinkNorton.
  • Spear phishing: Like phishing, but it targets a specific individual or organization. For example, the fake email to you appears to be from your boss.
  • Smishing: Phishing by SMS/text.
  • Vishing: Phishing by telephone. (V is for Voice, not Vendetta.)

Is there more phishing happening now?
A report from Google showed that there were nearly 149,200 active phishing websites in January 2020. That number rose by 50% in February and then in March jumped to nearly 522,500, a 350% increase since the beginning of 2020. External LinkPC Magazine reported that a major factor was fake COVID-19 websites.

In April, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued an External Linkadvisory about COVID-19 phishing scams. While CISA said it had not seen the overall level of cyberattacks increase, it warned against cybercriminals exploiting the pandemic for personal gain.

What kind of COVID-19 phishing scams are we seeing?

The goal remains the same. The crooks want you to click on a link that installs malware, or they want you to hand over personal information, such as your Social Security number. They are building the old scams around this new virus. Here are a few examples:

  • The sender appears to be the CDC, WHO or another legitimate group. The subject line cites the COVID-19 pandemic (“2020 Coronavirus Updates”) and the text offers a link to get information or register for a service.
  • The crook exploits the increased use of video conferencing software. Phishing emails come with attachment names that play on Zoom or Microsoft Teams.
  • The email asks you to download the new workplace policy on COVID-19.
  • The email says you are eligible for a $1,200 stimulus check or free COVID-19 home test kit if you just provide your Social Security number.

Phishing is not the only type of scam that preys on people’s fears. A crook might post a website that promises supplies such as masks or disinfectant, and then not deliver the supplies you’ve purchased. Or they might offer you the opportunity to invest in a promising cure.

What can we do to avoid getting hooked by the crooks?

You are your best first line of defense from shifty phishers. If you know what to look for and stay alert, you can avoid getting hooked. Here are some tips gathered from sources including External LinkTechSoup, the External LinkFCC and the External LinkEuropean Union Agency for Cybersecurity:

Develop good email management habits. Approach emails deliberately and with suspicion, and go through steps to determine whether they are legit, such as:

  • Only open email from known email addresses, and check the email address twice.
  • Be suspicious of emails that insist you act now. Phishers will try to generate a sense of urgency that gets you to act first, think later.
  • Sniff out suspicious terminology. Check for terms and language that are different from what you would normally expect, like if the person calls you by your full name.
  • Check whether the domain name matches the organization the person claims to represent.
  • Check the link before you click. Hover the mouse over the link, or see your emails in plain text to check for the hyperlinked address to see the real hyperlink.
  • If something looks suspicious, call or text your IT person, if you have one, to get their advice. Do not reply to the email.

To avoid phishing/smishing/vishing attempts in general:

  • Never supply any personal or financial information or passwords to anyone by email, phone or text.
  • Do not respond to calls or texts from unknown numbers, or any others that appear suspicious.
  • Investigate before clicking links in a text message. If a friend sends you a text with a suspicious link that seems out of character, call them to make sure they weren't hacked.
  • Visit websites by typing the domain name yourself, rather than clicking on a link. If you receive a certificate error while browsing, it’s a warning sign something isn’t right with the website.

To avoid COVID-19 phishing/smishing/vishing attempts:

  • Be wary of third-party sources spreading information about COVID-19. Legitimate government agencies will never call you or email you directly for your personal information.
  • Get your news from trusted sources such as reputable news sites, official government websites (.gov), or sites with security certificates (https).
  • Know who built that COVID-19 mobile app before you download. Only get COVID-19 apps from health departments, hospitals and trusted sources.

To protect your devices, install anti-spam, anti-spyware and anti-virus software and keep them up to date.

Want a little practice?

Can you spot a phishing attack? Take this External Linkquiz from Jigsaw, a company under Google’s parent Alphabet, to help you find out.

TechSoup is a resource for nonprofits during COVID-19
Check out this TechSoup External Linkblog post on keeping your nonprofit’s systems safe during COVID-19. It covers basic topics such as what to look for to identify phishing, but also topics such as how to harden your home computers and networks and how to set up a VPN. The post also includes links to software available at reduced cost to TechSoup members. Visit External Linkthis page for a complete listing of all the resources for nonprofits affected by COVID-19.  

Your organization may be eligible for donated or discounted software, hardware and services through External LinkTechSoup if it is a nonprofit, library or foundation in the United States. The TechSoup catalog includes more than 375 products from more than 100 companies such as Microsoft, Adobe, Cisco and more. To apply for a free membership, go External Linkhere.


Jennifer Wilding

Community Development Specialist

Jennifer Wilding, a community development specialist for the Kansas City Fed, provides communications, engagement, and research for the community development department.

Wilding e…