(Photo Illustration by Filip Radwanski/SOPA Images/LightRocket via Getty Images)

Google is warning the public to stay on guard against COVID-19 emails that actually contain malware. Last week, the company’s Gmail service blocked about 18 million malware and phishing emails per day.

“This is in addition to more than 240 million COVID-related daily spam messages,” Google product managers disclosed on Thursday.

The messages are designed to exploit the public’s fears around the pandemic. According to Google, cybercriminals have been creating fake emails that pretend to be the World Health Organization and ask for donations. However, the same emails are also designed to trick you into downloading a malicious file to take over your computer.

Other emails can pose as your company’s IT staff to manipulate you into visiting a malicious link concerning COVID-19 and its effect on payroll. The cybercriminals are also creating schemes around the economic stimulus checks small businesses have been receiving from the US government. In the example below, you can see they attached a malicious .htm file to an email concerning COVID-19 payment.

The good news is that Gmail continues to block over 99.9 percent of the spam and phishing emails that try to reach users. However, the company’s spam filter isn’t perfect; 0.1 percent of 18 million suggests that thousands of malicious COVID-19 emails are still reaching some Gmail users each day.

To bypass spam filters, hackers are routinely tweaking their emails with small changes to fool Gmail into letting the messages enter user inboxes. According to Google, 63 percent of malicious documents sent to Gmail users will technically be different from all previous bad attachments.

In response, the company has created a new AI-powered scanner that can better analyze emailed documents for signs of malicious behavior. If something harmful is detected, the scanner will automatically forward the email to your spam folder.

To stay safe, Google recommends Gmail users avoid downloading files you don’t recognize from your inbox to your PC. You can instead use Gmail’s built-in document viewer, which can activated by simply clicking the attachment. “Check the integrity of URLs before providing login credentials or clicking a link —fake URLs generally imitate real URLs and include additional words or domains,” Google adds.

For more protection, consider Google's free Advanced Protection Program, which is designed to stop even the most elite hackers from hijacking your Gmail account.

Further Reading

Security Reviews