The spread of coronavirus is prompting companies to caution employees about cyber scams created to capitalize on concerns over the outbreak.

Mastercard Inc. started warning employees of such scams in mid-February. Chief Security Officer Ron Green said reminders about how to avoid falling for phishing attacks or social-engineering schemes are necessary given widespread worry about the illness.

“Anytime there’s an event of significance where people are curious or anxious, these are moments that fraudsters leverage,” Mr. Green told WSJ Pro.

Attackers try to disguise their campaigns as genuine emails from companies and business partners. “They’re trying to fall in, camouflage with the legitimate messages,” said Sherrod DeGrippo, senior director of threat research and detection at cybersecurity firm Proofpoint Inc.

Many criminal techniques appeal to a person’s emotions, Mr. Green said. This could be an unsolicited phone call offering face masks at a low price, to try to gather personal details that could expose the individual or the company. Or it could be an email purporting to come from an official organization, urging the recipient to click on a link to find out about diagnosed Covid-19 cases in the region.

“Just about everyone has been using it, from bad marketers trying to sell people masks, all the way to organized crime and everyone in between because it’s such a trending issue that people might be lured to open messages about it,” said Limor Kessem, executive security adviser at International Business Machine Corp.’s security arm.

From a criminal’s viewpoint, Mr. Green said, “if I can get to your curiosity, greed, fear—the baser instincts we have—you’ll overcome your training.”

Corporate security leaders trying to combat malware and fraud as the new coronavirus spreads should reinforce cybersecurity hygiene and inform colleagues about new twists on basic fraud schemes, experts said. Here are some tips:

1. Clarify how the company will communicate during the outbreak. This will help employees spot suspicious messages or social-engineering attempts.

2. Note what to watch for, such as email that spoofs the Centers for Disease Control and Prevention or the World Health Organization, common tactics in recent weeks. The safer move is to visit the organizations’ websites for information.

3. Remind employees about training basics, such as not clicking on links in emails from people they don’t know. “Reminders add a whisper in your ear,” Mr. Green said. “When you see email trying to evoke an emotional response, you’ll have something that says, ‘Oh yeah, I heard about this.’”

4. Test often. Every month, Mastercard’s security group tests employees, from Chief Executive Ajay Banga on down, to see how they handle phishing email. The best actions: Delete or forward suspect messages to the security team. With every failure, training escalates from immediate electronic instruction to in-person hand-holding, Mr. Green said. Fail tests nine times—or trigger real infections three times—and that’s that. “You can’t work here at Mastercard. The lines are clear and bright,” he said.

5. Be careful. Some scammers use real contact information, or elements of it, for the people or organizations they probe. Employees shouldn’t call any numbers in the email to check if they are legitimate, said IBM ’s Ms. Kessem. Most genuine notices sent by major institutions will also be published on their websites, she said.

Write to Kim S. Nash at kim.nash@wsj.com, James Rundle at james.rundle@wsj.com and Catherine Stupp at Catherine.Stupp@wsj.com