Attorney General Ellison warns Minnesotans about COVID-19 phishing attacks

March 24, 2020 (SAINT PAUL) — Minnesota Attorney General Keith Ellison today warned Minnesotans about a reported spike in phishing attacks related to COVID-19, and offered advice about how to spot, avoid, and report them.

Phishing is a scam where thieves attempt to steal personal or financial account information by sending deceptive electronic messages that trick unsuspecting consumers into disclosing personal information. The bait may be an email, instant message, or pop-up window from what appears to be a trusted institution or company — for example, a government agency, financial institution, or internet service provider, among others. The consumer is encouraged to provide account information or other personal information, including financial information, and/or to click on a link that will install malware on the consumer’s computer.

There has been an increase in phishing attacks in response to COVID-19. Scammers are exploiting people’s heightened concern at this moment with phishing attacks that are increasingly realistic. Phishing scammers may purport to be government leaders or health officials and claim to have important information about how to reduce the spread of COVID-19. They may claim to have access to tests, vaccines, or miracle cures.

State of Minnesota IT Services has observed the following COVID-19 phishing-related scams:

· A fake COVID-19 tracking map that was distributing malware;

· COVID-19 smartphone apps distributing malware;

· Scam websites; and

· Impersonations of the Centers for Disease Control (CDC) and the World Health Organization (WHO).

These new phishing scams use updated versions of the same tricks:

· Email addresses containing look-alike domains, such as emails ending in “” instead of the legitimate “”

o TIP: Check email addresses and domains carefully before opening emails.

o TIP: Look for misspellings, poor grammar, or unusual or unprofessional language in the email.

o TIP: Do not assume that an email is legitimate because it includes the organization’s or business’s logo. Scammers often use them to fool you into thinking the email is legitimate.

· Urgent requests to click on hyperlinks that direct users to malicious sites. Those links may send you a site that looks official or legitimate but is actually run by scammers.

o TIP: Do not trust even legitimate-appearing hyperlinks from unknown senders.

· Sham “verifications” that ask you to provide sensitive personal information before accessing a site.

o TIP: Be skeptical of requests to verify your identity with sensitive personal information — especially if a site has not asked for the information in the past.

o TIP: The World Health Organization and the Centers for Disease Control and prevention will never ask you for personal informational by email.

o TIP: Companies you do business with already know your account number and will never ask you to provide it to them. The Social Security Administration, Medicare, or your financial institution will never ask you for personal information by email.

· Requests to communicate with businesses or individuals outside the normal channels of communication, including unknown emails.

o TIP: If you have any doubt whether a communication is legitimate, call or email those businesses or individuals directly at the publicly-listed phone number to ask if it came from them.

o TIP: Do not trust the number in the suspected email, as it may send you to scammers rather than to the business or organization it claims to represent.

More trusted tips for spotting and avoiding phishing attacks are from Attorney General Ellison’s website and the Federal Trade Commission.

As always, Attorney General Ellison asks Minnesotans file a complaint about any scams they come in contact with to his office. Minnesotans with specific complaints about COVID-19-related price-gouging should use the complaint form dedicated to that purpose that can be accessed on the front page of Attorney General Ellison’s website.

Load comments