The Rise of COVID-19 Phishing Attacks: How Cyber Adversaries Are Adopting Phishing to Generate New Threat Vectors

By Brad Slavin, CEO of DuoCircle LLC

While COVID-19 has locked all people in their homes, with office premises closed, cyber adversaries seem to have a field day using the pandemic as a launchpad for phishing attacks. Organizations and individuals must be aware of the detective, preventive, and protective measures to safeguard their information assets against these attacks.

As the COVID-19 pandemic assumes global proportions, it is natural for people to become anxious. People naturally turn to the internet to acquire the latest information on coronavirus related drugs, vaccines, etc. At the same time, social engineering attacks have been on the rise as malicious actors worldwide keep developing sophisticated tools and techniques to entice employees as well as individuals to reveal sensitive and confidential information, such as personally identifiable information (PII), financial data, or user account credentials. Let’s dive deep into the gravity of the situation before discussing what the best anti-phishing solutions and techniques are that organizations and individuals can make use of.

Some Hard Facts and Statistics on Phishing Attacks Based On COVID-19

Researchers reveal that cybercriminals are primarily employing three ingenious phishing attack methodologies to target victims. They are brand impersonation, scamming, and business email compromise (BEC). Here are a few spine-chilling statistics on COVID-19 phishing scams that have made headlines around the world.

  • There has been an unprecedented rise in phishing scams with more than 854,000 confirmed phishing and counterfeit web-pages reported in Q1 of 2020. Besides, more than 4 million pages fall in the category of suspicious pages.
  • The alarming issue is that nearly 30% of these confirmed phishing pages (approximately more than a quarter of a million) pertain to COVID-19 alone.
  • Though the first COVID-19 related phishing scam surfaced by the end of January 2020, the figure for March 2020 alone is 9,116, a 667% increase over February 2020.
  • Eighteen million malware and phishing emails and more than 240 million COVID-19-related spam email messages are sent over Gmail daily.
  • Citizens in the US have lost somewhere around $12 million to coronavirus phishing attacks. And in the UK, it’s over £2 million.

Healthcare – The Most Vulnerable Industry Domain to Phishing Attacks

COVID-19 has kept the entire world on tenterhooks. The FUD (the fear, uncertainty, and doubt) and the non-availability of a reliable cure or vaccine is the primary reason for the panic created in people’s minds. Thus, when they encounter an email message seemingly originating from an influential source like the US Center for Disease Control and Prevention, WHO, or other prominent health agencies, people rarely check their authenticity. Recently, there has been a surge of phishing emails sent by these malicious actors impersonating healthcare professionals and organizations, making healthcare one of the most vulnerable sectors in coronavirus times.

Offer for Loans and Grants – The Most Effective COVID-19 Phishing Attack

The pandemic has thrown the world economy in disarray. It has affected almost every segment of society. Under these circumstances, people eagerly look forward to Governmental aid such as EMI moratoriums, loans, and other giveaways. Malicious actors have been taking advantage of these situations and are trying to lure people to fictitious websites, where the unsuspecting users end up providing vital information leading to severe data breaches. These attacks are seen in the form of phishing emails, ransomware, or banking malware attacks.

Donation Solicitations – The Most Dangerous COVID-19 Phishing Scam

Global pandemics like COVID-19 bring out the humanitarian side of people in a substantial way. Generally, people donate generously towards their respective National Disaster Relief Funds, and research funds set up by their governments. There have been numerous incidents of cybercriminals taking advantage of such philanthropic activities. One of the most notorious modus operandi is to design fundraising pages that not only mislead users into donating money but also steal sensitive personal information. Using such information, like names, email addresses, phone numbers, credit card details, and internet banking usernames and passwords, these malicious actors accept money using the names of disaster relief funds.

COVID-19 Vaccine and Cure Scam – The Most Ingenious COVID-19 Phishing Attack

While researchers are struggling to find an antidote for the coronavirus, numerous fake websites advertising medicines and vaccines have sprung up on the internet. More than 20,000 new COVID-19-related domains have been registered in the past few weeks. These websites also claim to sell COVID-19 personal protective kits like face masks, sanitizers, hand gloves, medical combinations like Hydroxychloroquine, Remdesivir, and so on. Such fraudulent websites ask for the full payment in advance and unsuspecting people end up parting with their money only to discover that they have been a victim of cybercrime. Amazon itself reported over a million fake products in this category over the past couple of months.

Detective, Preventive and Protective Measures Individuals & Enterprises Can Adopt

Cybercriminals play on the psychology of the victim by pushing in email messages with COVID-19 related information that come along with a malicious attachment or infectious URL. Knowing some of these threats could be the best defense in thwarting such attempts:

  • Reliance on Trusted Sources: Rely on authentic or official websites to get reliable information and updates about the coronavirus. Be scrupulous in clicking on the links provided on articles and blogs that share information on COVID-19.
  • Refrain from The Temptation To Click/Download: Sometimes, ignoring unsolicited emails is the best phishing prevention method. Downloading or opening malicious attachments or clicking on an infectious URL allows malicious actors to gain access to network systems.
  • Knowing the Phishing Techniques: The latest tactic deployed by malicious actors is to set up live tracker websites from which people can purportedly get live coronavirus updates. Though the websites appear legitimate, they are scamming attempts that end up with the user compromising their confidential information.
  • Phishing Protection Solutions: The best way to deal with phishing threats is to install a trusted anti-phishing solution to thwart any attempt made by adversaries.
  • Phishing Awareness: Phishing awareness training plays an integral part in safeguarding information assets. Enterprises should educate and train their employees, customers, and third-party vendors on types of phishing, anti-phishing techniques, and phishing prevention best practices, etc.

Post COVID-19 – What Does the Future Look Like?

With the lockdown restrictions in place almost everywhere, a significant proportion of people already have their presence online, from shopping, ordering food, and essential items to work from home. The shift to a virtual workplace has become more pronounced than before, as a majority of online businesses are already allowing their employees to WFH, which are likely to follow suit post-COVID-19 as well, considering the numerous benefits and overall increase in the productivity of the employees.

As a downside, though, cyber adversaries have seized the opportunity to target as many people as possible. Hence, one can expect a surge in phishing attacks and scams in times to come. Therefore, one should exercise extreme caution and neutralize the vulnerabilities to mitigate the information risks encountered because of COVID-19. Deploying an effective anti-phishing solution is the need of the hour to tackle these attacks better, and has never been so significant.

About the Author

Brad Slavin AuthorBrad Slavin, CEO of DuoCircle LLC. Brad Slavin is a security industry veteran and the General Manager at DuoCircle LLC a cloud email security firm. Before joining DuoCircle, Brad began his career in network security by founding a regional ISP in California and was the co-founder of wireless wardriving and security software; Which was the recipient of the  “Editor’s Choice” – Laptop Magazine & Ziff-Davis i3 Award for innovation.

Brad can be reached online at and our company website

July 26, 2020

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...