Updates from Threat Analysis Group (TAG)
Threat Analysis Group

Findings on COVID-19 and online security threats

Google’s Threat Analysis Group (TAG) is a specialized team of security experts that works to identify, report, and stop government-backed phishing and hacking against Google and the people who use our products. We work across Google products to identify new vulnerabilities and threats. Today we’re sharing our latest findings and the threats we’re seeing in relation to COVID-19.


COVID-19 as general bait

Hackers frequently look at crises as an opportunity, and COVID-19 is no different. Across Google products, we’re seeing bad actors use COVID-related themes to create urgency so that people respond to phishing attacks and scams. Our security systems have detected examples ranging from fake solicitations for charities and NGOs, to messages that try to mimic employer communications to employees working from home, to websites posing as official government pages and public health agencies. Recently, our systems have detected 18 million malware and phishing Gmail messages per day related to COVID-19, in addition to more than 240 million COVID-related daily spam messages. Our machine learning models have evolved to understand and filter these threats, and we continue to block more than 99.9 percent of spam, phishing and malware from reaching our users.

How government-backed attackers are using COVID-19

TAG has specifically identified over a dozen government-backed attacker groups using COVID-19 themes as lure for phishing and malware attempts—trying to get their targets to click malicious links and download files.
Location of users targeted by government-backed COVID-19 related attacks

Location of users targeted by government-backed COVID-19 related attacks

One notable campaign attempted to target personal accounts of U.S. government employees with phishing lures using American fast food franchises and COVID-19 messaging. Some messages offered free meals and coupons in response to COVID-19, others suggested recipients visit sites disguised as online ordering and delivery options. Once people clicked on the emails, they were presented with phishing pages designed to trick them into providing their Google account credentials. The vast majority of these messages were sent to spam without any user ever seeing them, and we were able to preemptively block the domains using Safe Browsing. We’re not aware of any user having their account compromised by this campaign, but as usual, we notify all targeted users with a “government-backed attacker” warning.

We’ve also seen attackers try to trick people into downloading malware by impersonating health organizations:

attackers impersonating health organizations

International and national health organizations are becoming targets 

Our team also found new, COVID-19-specific targeting of international health organizations, including activity that corroborates reporting in Reuters earlier this month and is consistent with the threat actor group often referred to as Charming Kitten. The team has seen similar activity from a South American actor, known externally as Packrat, with emails that linked to a domain spoofing the World Health Organization’s login page. These findings show that health organizations, public health agencies, and the individuals who work there are becoming new targets as a result of COVID-19. We're proactively adding extra security protections, such as higher thresholds for Google Account sign in and recovery, to more than 50,000 of such high-risk accounts.
Contact message from Charming Kitten and packrat phishing page

Left: Contact message from Charming Kitten. Right: Packrat phishing page

Generally, we’re not seeing an overall rise in phishing attacks by government-backed groups; this is just a change in tactics. In fact, we saw a slight decrease in overall volumes in March compared to January and February. While it’s not unusual to see some fluctuations in these numbers, it could be that attackers, just like many other organizations, are experiencing productivity lags and issues due to global lockdowns and quarantine efforts.

Accounts that received a “government-backed attacker” warning in 2020

Accounts that received a “government-backed attacker” warning each month of 2020

When working to identify and prevent threats, we use a combination of internal investigative tools, information sharing with industry partners and law enforcement, as well as leads and intelligence from third-party researchers. To help support this broader security researcher community, Google is providing more than $200,000 in grants as part of a new Vulnerability Research Grant COVID-19 fund for Google VRP researchers who help  identify various vulnerabilities.


As the world continues to respond to COVID-19, we expect to see new lures and schemes. Our teams continue to track these and stop them before they reach people—and we’ll continue to share new and interesting findings.