Alert: COVID-19 Phishing Scams on the Rise

Dear SJSU faculty and staff,

The COVID-19 pandemic has impacted almost everything about our lives, changing how we work and interact every day. It’s also created a rapidly-changing environment where hackers and scammers are trying to capitalize on our fears and anxieties. Attacks related to COVID-19 started circling as early as January and have only proliferated since.

COVID-19 Phishing
The most recent trend has been focused on the upcoming stimulus package, with emails featuring subject lines like “URGENT: COVID-19 stimulus check delivery blocked. Please accept delivery here to continue with shipment.” Other recent email attempts include:
  • Posing as the government and asking you for banking information before sending your stimulus money
  • Posing as aid organizations and accepting donations, but taking your money instead
  • Sending links to “information” about COVID-19 cures/vaccines that install malware when you open them

This type of attack, called “phishing,” is an attempt by criminals to gain access to your SJSU and personal accounts. As many of you are currently working and lecturing from home, it’s especially important to be vigilant. Home computing devices and home networks do not have the security defenses of our campus network and systems. Duo Two-Factor Authentication can effectively help protect your account from these kinds of attacks. Students, faculty, and staff can also download Sophos Anti-Virus for free on home computers.

Reputable Resources
  • The Federal Trade Commission is a reputable source of information on this topic and has multiple posts about how to identify and avoid COVID-19 scams.
  • Additionally, the US Department of Homeland Security Cybersecurity and Infrastructure Security Agency and United Kingdom’s National Cyber Security Centre issued a joint activity alert titled, “COVID-19 Exploited by Malicious Cyber Actors.” The alert discusses the exploitation of virtual private networks, phishing emails and text messages about COVID-19, and websites deceptively advertised as COVID-19 sites.
  • For more approachable security awareness content, NINJIO is offering a series of 10 free videos about being data secure while working from home.

Phishing Awareness Program
You can also visit SJSU IT’s  How to Spot a Phishing Attempt page to read about our ongoing Phishing Awareness Program. As part of this program, you will periodically receive simulated phishing emails that imitate real attacks. These emails are designed to give you a realistic experience without putting you or the university at risk for a security breach. If you fall for our fake messages, there’s no judgment. We’ll just send you tips and tricks to improve your phishing recognition skills. We have run this program many times over the last few years and the response has been great.

If you ever receive a request for your login information, you can always contact the SJSU IT Service Desk at (408) 924-1530. Visit our blog or website for more information on How to Spot a Phishing Attempt or sign up for our ongoing phishing education program. You can also visit Google’s site to see how reporting phishing emails in Gmail helps prevent future attempts. For tips on how to use Zoom securely, download our Zoom FAQ PDF.

Best regards,

Hien Huynh
Information Security Officer
Division of Information Technology


We would like to remind you of a security threat that is never far away: Phishing. During a phishing attack, a scammer disguises their email to look like a legitimate message from a colleague or company in an attempt to trick you. The goal of the phishing email is to have you click on a link or open an attachment that will ask you for sensitive or confidential information. Find information on how to spot phishing emails on our safe computing pages.

Signing up to use two-factor authentication with Duo helps keep your account safe. With Duo, you’ll be protected when somebody attempts to use your account through Okta single sign-on or other Duo-integrated apps (such as a VPN client). You can learn more about Duo and sign up for it early here.

Impersonation alerts are another useful feature, available on the Gmail website and in the Gmail apps for iOS and Android. These alerts will help remind you to be vigilant about suspicious emails, but they work best when you’re using your SJSU email account for university-related communication. If you see this alert, take a moment to review the details of the message, referencing our safe computing tips.

The single best way to protect yourself is to stay vigilant and use common sense. Oftentimes, phishers will impersonate figures of higher authority. But if you ask yourself, “When’s the last time the President emailed me directly?” and the answer is “Never,” that should raise a red flag. If you ask yourself, “I thought the President had better grammar/punctuation/spelling?,” that should raise a red flag. If you see these kinds of suspicious emails, use the Report Phishing feature in Gmail.