WHO COVID-19 Donation Scam - Abnormal Security

WHO COVID-19 Donation Scam

In this attack, attackers are impersonating the World Health Organization and asking for donations to their Bitcoin wallet to help fight the pandemic.

Quick Summary:

  • Platform: Office 365
  • Mailboxes: Between 10,000 and 20,000
  • Email Gateway: None
  • Email Security Bypassed: Office 365
  • Victims: Employees
  • Payload: Payload-less
  • Technique: Impersonation

What was the attack?

  • Email Attack: Attackers have spoofed the World Health Organization display name (from an account that they have likely compromised), and are reaching out requesting donations to their Bitcoin wallet to help fund efforts to fight the COVID-19 pandemic.
  • Payload: In the case of this email, the text itself is the payload. There are no links or attachments; the attackers are hoping that recipients won’t scrutinize the email as they might normally under less urgent circumstances.
  • Result: The World Health Organization does not collect donations via Bitcoin wallet, so any donations that victims make through this means are not actually going to fight COVID-19, and are just ending up in the wallets of these scammers.

Why is this attack effective?

  • Urgency: As with all COVID-19-related scams, these attacks are leveraging the urgency of fighting the COVID-19 pandemic. Attackers are hoping that this urgency means that recipients are less likely to scrutinize the emails they’re receiving.
  • Humanitarianism: These scammers also likely realize that many of us outside of the public health policy or healthcare professions feel helpless in the current global crisis. They’re therefore leveraging the goodwill of recipients and providing a course of action that recipients can take to help in this situation. Unfortunately, the donations that recipients make are going to the attackers, not victims or first responders to the COVID-19 pandemic.
  • Text payload: Attacks like this one often get through traditional email security solutions because there are no malicious links or attachments. The payload is the message in the email that spurs some kind of action on the part of the recipient.


Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Related content