WHO Warns of Phishing Scams Related to Coronavirus Alert

The World Health Organization (WHO) has released a warning about Coronavirus-themed phishing attacks that impersonate the organization with the goal of delivering malware and stealing information.

What happened?

The WHO has confirmed that phishing emails, camouflaged to appear as sent by WHO officials regarding Coronavirus alert, were being distributed by the cybercriminals.

  • The phishing messages ask the targets to share sensitive info like usernames and passwords.
  • It also redirected users to a phishing landing page via malicious links embedded in the emails.
  • In some cases, it requested victims to open malicious attachments.

"WHO is aware of suspicious email messages attempting to take advantage of the 2019 novel coronavirus emergency," the agency said in the Coronavirus scam alert.

How does the phishing campaign work?

In the email, users are generally asked to go through the attached document regarding safety or preventive measures for Coronavirus.

  • Users are then directed to download the attachment on their system simply by clicking on a "Safety Measures" button.
  • Once clicked, it redirects them to a compromised site (a phishing page) controlled by the attackers.
  • The page loads the WHO website in a frame in the background with a pop-up asking the users to verify their e-mail.
  • Clicking on the "Verify" button exfiltrates their credentials to the attackers’ server. At the same time, the user will see that they are being redirected to the WHO's official website.


"If you are contacted by a person or organization that appears to be from WHO, verify their authenticity before responding," read the WHO advisory.

  • Any email address other than ‘person@who.int’ format is not from the WHO.
  • Make sure the link starts with ‘https://www.who.int’
  • Stay alert, giving in username & password to access public information is unusual.
  • Cybercriminals use emergencies such as 2019-nCov to get people to make decisions quickly, but do not panic.
  • Change your credentials if you somehow surrendered your current credentials.