publishing date icon
March 9, 2022
read time icon
5 min. read

Ukraine phishing campaigns: 3 red flags of 2 common attacks

The Russian attack on Ukraine has spawned two especially common phishing campaigns. The first involves low level phishes from fraudulent humanitarian organizations claiming to be helping war-displaced Ukrainian citizens. The other common technique involves a threat actor posing as an imperilled Ukrainian who needs money for themselves or their family to get to safety. We saw it in the pandemic. We’re seeing it again with the war in Ukraine. Milking catastrophe for an effective email attack campaign is standard operating procedure for shameless threat actors.

Author image
Eemeli Ali-Kippari
Junior Threat Analyst
Post hero image

Table of contents

share this post

Ukraine is defending itself against Russian aggression, and people around the world are seeking ways to to help. Charities and fundraisers have quickly sprung up to meet demand from those who’ve opened their hearts and ready to open their wallets to relieve the Ukrainians' plight. But knowing which fundraiser is trustworthy and which is fraudulent is tricky.

Conflict is a breeding ground for malicious actors. The gears of social engineering are lubricated with emotionally triggering subject matter. We have seen multiple phishing campaigns in which attackers craft emails and attack sites that take advantage of people’s good intentions. The result is the swindling of desperately needed financial aid for Ukrainians.

We saw it in the pandemic. We’re seeing it again with the war in Ukraine. Milking catastrophe for an effective email attack campaign is standard operating procedure.

The Russian attack on Ukraine has spawned two especially common phishing campaigns. The first involves low level phishes from fraudulent organizations claiming to be directing aid to people suffering from the war. The other common technique involves a threat actor posing as an imperilled Ukrainian who needs money for themselves or their family to get to safety.

These are plausible situations. Indeed, there are legitimate organizations and individuals who need help and are seeking aid. It's important to know how to recognize the signs of a fraudulent request.

Here are a few examples of scams going around at the moment:

1. This fake UNICEF charity for children email can be identified as a scam by the sender address, which was a randomly generated gmail account, not a UNICEF account.


2. An attacker posing as a Ukrainian soldier in Kharkov pleading for funds to help his family emigrate to a safe country


3. This UNHCR email attack was sent from a domain that does not belong to them.



These scams hook into your empathy to reel in a profit. It’s easy to get baited into helping, but “helping” the wrong people is just funding criminals. Knowing how to identify these scams enables truly helpful decisions.

Staying off the hook:

1. Who is sending this email?

It is highly unlikely that an individual affected by the war would contact you directly, so check the sender and think how would this person have known your email address to contact you.

If the sender seems to be a non-governmental organization or a charity, check the domain of the sender. These organizations won’t email you from free email accounts such as outlook or gmail.

2. Where does the link lead?

If a link for donation leads to an address you do not recognize, think twice. Do not give your credit card information to a site that is not a known charity or a NGO.

3. What form of payment is accepted? Beware of Bitcoin-only

Many scams (and some real fundraising emails) ask you to donate via cryptocurrency. The difference between a scam and a real charity is that a real charity will not accept donations EXCLUSIVELY through cryptocurrency. Real charities will accept traditional bank transfers. Malicious actors prefer cryptocurrencies. The most surefire way is to research the charity online and not to trust links sent through email.

Cryptocurrency addresses can be searched online through sites like Blockchain Explorer. If a crypto wallet asking for donations has zero currency in them, it most likely is a scam.

Hoxhunt response

We are seeing what experts have predicted: The fighting in Ukraine contains an unprecedented cyber war dimension. Fallout will seep into inboxes around the world. Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Subscribe to All Things Human Risk

Subscribe to our newsletter for a curated digest of the latest news, articles, and resources on human risk and evolving phishing threats in the ever-changing landscape.

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.