COVID Phishing Scam: ‘I Will Infect Your Family’

Published: 30 April 2020

The phishing scam threatens to infect the victims entire family with COVID-19 (Photo: Alissa Eckert, CC SA-BY 3.0)The phishing scam threatens to infect the victims entire family with COVID-19 (Photo: Alissa Eckert, CC SA-BY 3.0)

By Will Neal

Fraudsters have found a way to use the coronavirus pandemic for blackmail, with one phishing scam threatening to ‘infect every member’ of victims’ families with the disease in what experts say is a new take on an old sextortion scheme.

“I know every dirty little secret about your life,” the email reads. “To start with, I know all of your passwords. I am aware of your whereabouts, what you eat, with whom you talk, every little thing you do in a day.”

“You need to pay me $4,000,” it goes on. “If I do not get the payment: I will infect every member of your family with the coronavirus. No matter how smart you are, believe me, if I want to infect, I can. I will also go ahead and reveal your secrets. I will completely ruin your life.”

The email was first publicly identified by internet security company Sophos, which published a copy of the email text on March 19.

The Daily Beast reported on Wednesday that the NYPD is on high alert over the new coronavirus scam, in which the fraudsters claim to have gained access to the victim’s emails and contact list.

Prem Mahadevan, a senior cybercrime analyst with the Global Initiative Against Transnational Organised Crime, told OCCRP on Thursday that these emails are a crude, corona-themed version of another popular scam, in which fraudsters threaten to release intimate photos of their victims if they do not pay up.

In previous versions, the scammers would threaten to publish compromising photos of their victims, captured via webcam, in a split-screen format displaying what the person was supposedly watching at the time.

“Normally, someone being blackmailed over compromising photographs would face, at most, the likelihood of public embarrassment and private discord within their family if their ‘secret’ were revealed. Threatening to infect family members with a virus that could possibly be fatal is another order of coercion entirely,” he added.

The newer scheme is different simply “because the thuggish nature of such threats aims to paralyse or slow down rational calculations of risk on the part of the victim,” Mahadevan said.

The threat is made credible by the fact that the email may also contain details of the victim’s address and passwords. This makes the receiver believe that the attacker has managed to get deep into his computer and their life.

But Sophos says that this is not true, as that the perpetrators almost never have the capacity to deliver on their threat.

Victim’s emails and passwords are usually bought from darknet sites where sellers gather the information from massive data breaches at email servers, and these scams are usually conducted on such a large scale that criminals simply don’t have time to hack individual accounts.

The internet security company therefore says victims should simply delete the emails, as the hackers are highly unlikely to have photos of any kind, much less be capable of infecting anyone with an actual, bodily virus.

Mahadevan further added that the recent phishing scam is a small drop in a vast ocean of cybercriminal activity, which has swelled following the global outbreak of the pandemic.

“The number of phishing attacks has increased massively over the last three months - one estimate is that it has gone up by 667%,” he said.

“The issue seems to be the extent to which victims might be inclined to lower their guard while working from home. Certainly, cybercriminals are counting on their victims being more grounded than usual in the virtual, online world rather than the real, physical world, where dangers can be more intuitively and coolly assessed,” he added.