Abnormal Attack Stories #9: WHO COVID-19 Donation Scam

March 25, 2020

Abnormal Security

Abnormal Security

In this attack, attackers are impersonating the World Health Organization and asking for donations to their Bitcoin wallet to help fight the pandemic.

Quick Summary:

  • Platform: Office 365
  • # Mailboxes: Between 10,000 and 20,000
  • Email Gateway: None
  • Email Security: Office 365
  • Victims: Employees
  • Payload: Payload-less
  • Technique: Impersonation

What was the attack?

  • Setup: As the COVID-19 pandemic has spread, many organizations have requested donations to help them fight the virus. This includes the World Health Organization (which has a real fund for donations here: https://www.who.int/emergencies/diseases/novel-coronavirus-2019/donate).
  • Email Attack: Attackers have spoofed the World Health Organization display name (from an account that they have likely compromised), and are reaching out requesting donations to their Bitcoin wallet to help fund efforts to fight the COVID-19 pandemic.
  • Payload: In the case of this email, the text itself is the payload. There are no links or attachments; the attackers are hoping that recipients won’t scrutinize the email as they might normally under less urgent circumstances.
  • Result: The World Health Organization does not collect donations via Bitcoin wallet, so any donations that victims make through this means are not actually going to fight COVID-19, and are just ending up in the wallets of these scammers.

Why is this attack effective?

  • Urgency: As with all COVID-19-related scams, these attacks are leveraging the urgency of fighting the COVID-19 pandemic. Attackers are hoping that this urgency means that recipients are less likely to scrutinize the emails they’re receiving.
  • Humanitarianism: These scammers also likely realize that many of us outside of the public health policy or healthcare professions feel helpless in the current global crisis. They’re therefore leveraging the goodwill of recipients and providing a course of action that recipients can take to help in this situation. Unfortunately, the donations that recipients make are going to the attackers, not victims or first responders to the COVID-19 pandemic.
  • Text payload: Attacks like this one often get through traditional email security solutions because there are no malicious links or attachments. The payload is the message in the email that spurs some kind of action on the part of the recipient.


Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Targeted Email Attack

(click to enlarge)

Techniques to Detect

(click to enlarge)

Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:

Related content

COVID-19-related attack deep dives

Like our article? Share our content