Skip to main content
Article | FINEX Observer

Client alert: COVID-19 and the phishing evolution

By Courtney Maugé | June 22, 2020

In this article, we discuss how phishing scams have evolved as a result of the COVID-19 pandemic.
Financial, Executive and Professional Risks (FINEX)
COVID 19 Coronavirus

In our April post, Client alert: Remote access, we provided guidance on the increased cyber risk felt by organizations due to the heavy reliance placed on VPNs and Remote Desktop Protocols to support the growing remote workforce.1 This has proven to be only one aspect of the heightened cyber risk exposure due to the COVID-19 pandemic. According to The State of Email Security Report for 2020, email continues to be the most popular attack vector for cybercriminals.2 Reports regarding phishing attacks have tripled since the concerns about COVID-19 became widespread and most IT companies believe that at some point they will become susceptible to a cyber-attack due to an email compromise.3 According to Willis Towers Watson’s 2019 Reported Claims Data, 63% of cyber incidents were caused directly by human error, and as such, understanding phishing scams will be critical as the effects of the pandemic unfold.

The evolution of phishing scams in the wake of COVID-19

Social engineering and phishing campaigns continue to be an effective method for cyber criminals to access protected networks because they feed upon human psychology and trust. COVID-19 has given cyber criminals a unique advantage in allowing them to prey upon the fears of not only small targeted groups, but across millions of Americans. Further, the sudden move to a remote working environment for many workers arguably has lead to increased distractions and the decreased likelihood that such workers would authenticate the validity of emails with nearby colleagues. In fact, it can be argued that COVID-19 opened up an entire new playground for cyber criminals. Thus, it should be of no surprise that in the first 100 days of COVID-19, intelligence data showed a 30% impersonation fraud increase.4 By the middle of April, reports showed cyber criminals had reached a peak of sending 1.5 million malicious emails per day relating to concerns stemming from the pandemic.5 Many experts declared the large volume of COVID-19 related scams the largest coalescing of cyber attacks to exploit a single theme.6

The spike in COVID-19 related phishing campaigns prompted the U.S. Department of Homeland Security’s Cyber Security Infrastructure Agency (CISA) to issue a report describing the different type of phishing campaigns companies should be on high alert for. The report warns companies to remain diligent regarding emails containing coronavirus in the subject line, COVID-19 related website links and COVID-19 related emails containing file attachments. 7 These warnings proved critical as security reports began to unveil successful COVID-19 related phishing attacks. For example, in early April, one observed campaign used socially engineered emails promising access to important information about cases of COVID-19 in the receiver’s local area. The emails evaded top email-detection software to spread malware stealing the user’s Microsoft log-in credentials. 8 A later analysis revealed cyber criminals were targeting individuals with emails appearing to come from the U.S. Department of Labor regarding changes to the Family Medical Leave Act, containing attachments deploying Trickbot Malware. 9 Further studies uncovered creative campaigns related to bonus reports, COVID-19 disaster relief, pandemic food distribution, office shut downs, FedEx packages, quarantine protocols, changes to insurance plans and canceled industry events. 10 Lastly, campaigns that give the appearance to come from trusted government sources such as the White House, Centers for Disease Control and Prevention, the World Health Organization and the Department of Health and Human Services continue to trend 11.

To make matters worse, COVID-19 related phishing emails can be very hard for an employee to spot. One study pointed out that most of the COVID-19 related phishing campaigns discovered appeared to come from IP addresses from within the United States. While it is possible that the IP addresses could have been manipulated, it points to a more concerning reality: when phishing campaigns stem from the same geographic region it is easier to mimic the culture and language. In other words, phishing campaigns are more likely to sound, look and feel like they come from legitimate sources. Not to mention, these emails may be more prone to bypass firewalls, meant to only block foreign IP addresses, and find its way into an employee’s inbox. Additionally, the same study found that many of the emails contained company logos, trademarks and copyrights, making them look almost identical to legitimate company emails12


Finally, amid growing cyber risk concerns, a Google search result review during the core months of the U.S. pandemic, showed an increased interest of individuals to commit cybercrimes. With more individuals facing financial uncertainty, searches related to hacking, scamming and other forms of cybercrime spiked. Breakout search terms such as “hacking course” and “ethical hacking course” reached record highs.13 The study leaves the ominous omen that the surge in cybercrimes has yet to hit its peak.

In short, COVID-19 has only exacerbated cyber criminals’ ability and desire to take advantage of the human element of cyber risk. As the fallout lingers, companies must remain vigilant and continue to inform employees of the increased social engineering risks tied to COVID-19.

Conclusions as the Economy Reopens

Threat actors continue to become more sophisticated in their tactics and will continue to exploit trends and global events to conduct phishing campaigns. While COVID-19 email subject lines will inevitably decrease as lockdowns are lifted, companies should continue to take risk mitigation that addresses the pandemic seriously. Further, as new global events take storm, companies should implement the lessons learned from COVID-19 into routine employee trainings and mock phishing campaigns. Employee understanding of how to spot and report email scams is critical to a company’s success in preventing cybercrime.

Nevertheless, companies should operate under the assumption that a social engineering attack may be successful and should be prepared to respond appropriately. Business continuity plans, as well as adequate crime and cyber insurance will be key in the event of a successful social engineering attack.

Companies should consult with a knowledgeable broker to understand available social engineering coverages and potential pre-breach services available within their policy. Willis Towers Watson offers various Cyber Crime Risk Solutions, as well as coverage expertise to prepare companies during these unprecedented times. Please reach out to a Willis Tower Watson broker for further information on mitigating cyber risk in the remote workspace environment.


1 Barberi, Robert O. 2020, 21 April. COVID-19 and the latest exploitation of remote access network structure. [online] Willis Towers Watson White Paper. Available at:

2 Mimecast. 2020. The State of Email Security 2020. Available at: content/the_state_of_email_security_report_2020.pdf?utm_source=pr&utm_medium=pr&utm_campaign=7013l000001N4dRAAS

3 Ibid.

4 Ibid.

5 Montalbano, Elizabeth. 2020, 21 April. Cyberattackers Ramp Up to 1.5M COVID-19 Emails Per Day. Available at:

6 Scroxton, Alex. 2020, 18 March. Coronavirus now possibly largest ever cyber security threat. Available at:

7 National Cyber Awareness System Alerts. 2020, 8 April. COVID-19 Exploited by Malicious Cyber Actors. Available at

8 Lemos, Robert. 2020, 8 April. After Adopting COVID-19 Lures, Sophisticated Groups Target Remote Workers. Available at:

9 Montalbano, Elizabth. 2020,1 May. TrickBot Attack Exploits COVID-19 Fears with DocuSign-Themed Ploy. Available at:

10 INKY. 2020. Around the World in 34 Phish: COVID-19 Phising Examples. Available at:

11 Beazley Insights. 2020 9, June. The enduring threat of ransomware. COVID-19 related phishing scams likely to dominate Q2. Available at:

12 Ibid.

13 Mikalauskas, Edvardas. 2020, 2 June. Data suggest unprecedented interest in hacking and cybercrime during pandemic. Available at:


Each applicable policy of insurance must be reviewed to determine the extent, if any, of coverage for COVID-19. Coverage may vary depending on the jurisdiction and circumstances. For global client programs it is critical to consider all local operations and how policies may or may not include COVID-19 coverage. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal and/or other professional advisors. Some of the information in this publication may be compiled by third party sources we consider to be reliable, however we do not guarantee and are not responsible for the accuracy of such information. We assume no duty in contract, tort, or otherwise in connection with this publication and expressly disclaim, to the fullest extent permitted by law, any liability in connection with this publication. Willis Towers Watson offers insurance-related services through its appropriately licensed entities in each jurisdiction in which it operates. COVID-19 is a rapidly evolving situation and changes are occurring frequently. Willis Towers Watson does not undertake to update the information included herein after the date of publication. Accordingly, readers should be aware that certain content may have changed since the date of this publication. Please reach out to the author or your Willis Towers Watson contact for more information.


Assistant Vice President, Broker

Contact Us