Cybercriminals are posing as delivery companies and pretending to be affected by the COVID-19 pandemic as a means to trick potential victims into opening malicious emails attachments or revealing credentials on phishing websites.

Spam and phishing schemes that use postal- and shipping-themed lures are nothing new, but the coronavirus outbreak allows attackers to put a fresh, new and urgent spin on their malicious messaging, Kaspersky analyst Tatyana Shcherbakova explained in a blog post.

“Against the backdrop of the pandemic and the large number of genuine package delays, fake sites and e-mails have a good chance of success, especially if you really are expecting a package or if, say, shipment details were sent to your work e-mail and you have reason to think that a colleague might have placed the order,” Shcherbakova wrote.

“Your package has reach our warehouse and due to the coronavirus outbreak, you will need to come to our warehouse to get it, check the attachment for details,” said one recently observed spam email, written in broken English. But watch out: opening this attachment infects you with the Remcos remote access trojan. Meanwhile, a similar email designed to deliver Remcos blames the coronavirus for shipping problems and asks the recipient to confirm a document in order to receive a parcel that’s been held up.

Kaspersky also uncovered an email that urges recipients to provide missing information before a forthcoming government lockdown prevents completion of the delivery. This correspondence included a fake image of a shipping label, which in reality was executable ACE archive containing the Noon spyware program.

Other observed phishing emails used similar coronavirus-themed shipping lures to disseminate the Bsymem Trojan, which enables device takeover and data theft, and the Androm backdoor, which allows for unauthorized remote access.

The Kaspersky report also revealed examples of recently spotted phishing sites that imitate DHL and FedEx tracking pages while also referencing COVID-19 for additional plausibility. This includes a fake package-tracking portal page that contains a form for entering credentials. “Needless to say, entering credentials on this resource sends them to the scammers, and the fate of the package will remain unknown,” the report said.

Among other advice, Shcherbakova recommends that users avoid opening attachments or clicking links in emails from supposed delivery services. Instead, they should log in to their own personal accounts on the delivery service’s website or enter the web address of the service to check tracking numbers.