Skip to main content

COVID-19 changed just about everything in the world, and malicious phishing attacks were no exception. While the methods for these attacks are largely the same, the quantity and content of them have changed. This is to be expected, as attackers have always used significant or current news events to capitalize on fear. We’re breaking down the top 5 most common phishing scams to be aware of right now and how to protect yourself against them. 

1.   Stimulus Payment Scams

The government is providing massive amounts of money to help people and businesses during the pandemic and scammers are doing everything they can to take advantage. They might try to convince you to pay a fee to get your stimulus payment or persuade you to cough up your Social Security number, bank account, or other sensitive information.

How to protect yourself:


  1. Only use to submit information to the IRS—never give it to anyone by phone, text, or email.

    • The IRS won’t contact you by phone, email, text message, or social media with information about your stimulus payment, or to ask you for your Social Security number, bank account, or government benefits debit card account number. Anyone who does is a scammer phishing for your information.

  2. You don’t have to pay to get your stimulus money.

  3. The IRS won’t tell you to deposit your stimulus check then send them money back because they paid you more than they owed you. That’s a fake check scam.

2.   Phishing for Donations

If you or your business decide to make a donation to assist those affected by COVID-19, make sure you do your homework first. Scammers are disguising themselves as non-profit organizations and asking businesses and consumers for money and/or information.

How to protect yourself:

  1. Use a trusted source to validate the legitimacy of an organization. The FTC recommends the following four options:

  2. Be careful how you pay. Scammers often ask for money wires or cash. Credit cards or checks are a safer option.

  3. Scammers often try to rush you into giving money. This is always a red flag, so take your time.

  4. Ask the organization for documents that prove their legitimacy. Established organizations can provide you with their Employer Identification Number (EIN), a nine-digit number assigned by the IRS that identifies them as an employer. You can verify an EIN on IRS website.

3.   Scams from Attackers Claiming to be the CDC or WHO

Any email that claims to be from a government source providing information on COVID-19 should be treated with caution. Attackers will often disguise the email address and links in the email to make them appear legitimate.

How to protect yourself: Always avoid clicking on these links. Instead, go directly to sites like and to get the latest information.

4.   COVID-19 Testing Kits

The FDA has only approved one home-testing kit, but there are other kits on the market that are not FDA approved. Scammers are using the promise of phony testing kits to obtain personal and sensitive information.

How to protect yourself: Always avoid clicking on these links

5.   Online Offers for Vaccinations

At the time of this writing, there are no products on the market that can prevent or cure COVID-19. Thus any emails with these claims can be dismissed as spam.

How to protect yourself: Always avoid clicking on these links