When coronavirus caused shut-in consumers to rely heavily on e‑retailers, online scam activity—such as phishing, malware distribution and domain spoofing—grew by 33%.

The COVID-19 pandemic has created new opportunities for online criminals targeting e-retailers and their customers. As ecommerce traffic and purchases surged after governments around the world imposed stay-at-home directives, total monthly online fraud attempts rose and the scammers made online retailing their top target.

During the 104 days from Dec. 30, 2019, through April 12, 2020, the total monthly volume of malicious online activity—such as “phishing” emails and domain spoofing—worldwide grew 33%, according to a study from cybersecurity company Mimecast Ltd. Retailers were hit harder than any other sector by malware and domain spoofing and were a close second to manufacturers in total detections, Mimecast says. Worldwide, malicious activity detections for the retail/wholesale sector were 498,521 for the period examined, compared with 501,708 for manufacturers. In the U.S., those numbers were 231,791 and 262,470, respectively, the company reports. Mimecast compiled the data from examining what it detected from the more than 36,000 organizations using its services. 

It’s unusual for online criminals to focus so heavily on the retail/wholesale sector outside the holiday season, says Carl Wearn, head of risk and resilience for e-crime and cyber investigation at Mimecast. Generally, sectors like banking and professional services get the most attention. 

But when stores closed due to the widespread stay-at-home directives, consumers went online and made record online purchases of things like food and household essentials. Overall, U.S. online sales increased 49% in April over the prior year, according to Adobe Analytics.

All that coronavirus related traffic suddenly made online retailers a very appealing target, Wearn says.


“Criminals are opportunists, they go after the biggest opportunity,” Wearn says. And for the crooks, he says, finding and executing internet scams is a full-time job. 

Criminals were attracted to people working from home

In addition to the increased traffic to retail websites, a critical factor attracting criminals was the increase in stress, compounded by millions of people either unemployed or working from home, Wearn says. The result was a surge in “phishing” emails—those that try to attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity. Domain-spoofing is also on the rise. The number of blocked malicious domains were generally 500 or less in January 2020 and grew to almost 4,500 per day on several days in mid-March. Mimecast’s blocking activity blocked more than 115,000 spoofed domains during the period analyzed, more than half of which were COVID-19-related. 

Domain spoofing occurs when a scammer appears to use a company’s domain name to impersonate the company or one of its employees. Criminals do this by mimicking a company’s logos and design elements in emails and websites. Spoof emails contain links to domain names intended to seem legitimate. Scammers set up the sites with prompts to enter sensitive data, such as credit card numbers.

During the pandemic, criminals turned to imitating major retail brand websites, such as the ecommerce site Walmart Inc. (No. 3 in the 2020 Digital Commerce 360 Top 1000) and Costco Wholesale Corp. (No. 16), Mimecast found. The goal: Steal from unsuspecting buyers as they seek to buy essentials online, Wearn says.


During the period Mimecast examined, the company says its software detected a 55.8% increase in blocked clicks to malicious URLs by Mimecast software and a 35.2% increase in malware detection. Impersonation detections grew by 20.3% and spam email messages increased 26.3%.

Much of the increase in fraudulent activity was related to the coronavirus pandemic. Among the scams Mimecast detected were:

  • Fraud campaigns exploiting users working at home intended to entice them to click on unsafe links by promising information about the coronavirus
  • Spam messages offering fake or non-existent goods such as protective masks or COVID-19 cures
  • More than 60,000 COVID-19-related fake domains early January through April 12, 2020

In a later report, Mimecast says it has already detected several phishing campaigns aimed at employees returning to work as stay-at-home orders start to ease in some places. The malicious emails claim to provide information about new pandemic-related office policies, with the goal of installing malware or stealing credentials.


How to protect against online criminals

Because email is so often used to spread malware and links to fraudulent sites, it’s important for employers to train employees to be wary of even legitimate-looking emails, Wearn says.

“Never ever click a link in an email, even from a trusted source,” Wearn says. Instead of using a link, he says, employees—especially those working from home—should use their browsers to go directly to trusted websites, avoiding attempts to trick them into visiting nefarious ones.

Other recommendations from Mimecast include:

  • Protect work devices: Employers should train employees working from home to lock their screens when away from their computers or other work devices. Employees also should be careful not to let children, family members or other unauthorized users use work devices due to the risk of “unintentional or inadvertent compromise via human error.”
  • Be wary of any electronic communications: Employees must be vigilant to the potential for criminals to collect data via means outside of a protected work-related network—particularly by telephone. In this way, they will try to draw personnel to more traditional scams or fraudulent behavior. 
  • Be vigilant about Emotet malware: Emotet malware often infects computer systems using computer viruses delivered through email attachments. The infected email often is a legitimate-appearing reply to an earlier message sent by the targeted employee. Emotet-spreading emails, like phishing emails, are tailored to take advantage of current events. Mimecast says it has seen criminals spread the malware via emails relating to charitable donations for the recent Australian bush fires and “a wide range of varied campaigns in relation to the COVID-19 pandemic.”
  • Change passwords regularly: Emotet malware uses a compendium of weak or commonly used passwords to “brute force” its way into a system. A brute force attack attempts to decode encrypted data, such as a password, by trial and error. To prevent this, Mimecast says, companies should set up networks to use strong passwords and change all default user names and passwords on equipment linked to the system. “Threat actors in recent ransomware attacks have made specific comments in relation to the particularly poor or lax password regimes, and security, maintained by organizations they have successfully breached,” the Mimecast report says. Ransomware is a form of malware that locks users out of their files or devices and demands an anonymous online payment to restore access.
  • Pay attention to workers’ home networks: Scammers can target home networks, aiming to “piggyback” into business networks. So, users should be wary of using any non-encrypted email or applications from home, Mimecast says. Employees should, for example, change the default passwords on their home routers and enable encryption and any firewall protection. 

The Mimecast report says “cyber hygiene” has never been more important. “In the coming weeks much of the uncertainty will gradually be replaced by a clearer picture of the steps necessary to return to (as close to) normality as reasonably possible as it can be, prior to a [COVID-19] treatment being widely available,” the report says. “This may include further periods of ‘lockdown’ and so it will be critical to keep the developing situation under continuous review and for organizations to be prepared to sustain remote working and refresh user awareness skills over a prolonged people whilst doing so.”