The development of phishing during the COVID-19 pandemic: An analysis of over 1100 targeted domains

Raphael Hoheisel*, Guido van Capelleveen, Dipti K. Sarmah, Marianne Junger

*Corresponding author for this work

Research output: Contribution to journalArticleAcademicpeer-review

32 Downloads (Pure)


To design preventive policy measures for email phishing, it is helpful to be aware of the phishing schemes and trends that are currently applied. How phishing schemes and patterns emerge and adapt is an ongoing field of study. Existing phishing works already reveal a rich set of phishing schemes, patterns, and trends that provide insight into the mechanisms used. However, there seems to be limited knowledge about how email phishing is affected in periods of social disturbance, such as COVID-19 in which phishing numbers have quadrupled. Therefore, we investigate how the COVID-19 pandemic influences the phishing emails sent during the first year of the pandemic. The email content (header data and html body, excl. attachments) is evaluated to assess how the pandemic influences the topics of phishing emails over time (peaks and trends), whether email campaigns correlate with momentous events and trends of the COVID-19 pandemic, and what hidden content revealed. This is studied through an in-depth analysis of the body of 500.000 phishing emails addressed to Dutch registered top-level domains collected during the start of the pandemic. The study reveals that most COVID-19 related phishing emails follow known patterns indicating that perpetrators are more likely to adapt than to reinvent their schemes.

Original languageEnglish
Article number103158
Number of pages17
JournalComputers & Security
Early online date25 Feb 2023
Publication statusPublished - May 2023


  • COVID-19
  • Cybercrime
  • Dutch firms
  • Pandemic
  • Pattern shifts
  • Phishing
  • UT-Hybrid-D


Dive into the research topics of 'The development of phishing during the COVID-19 pandemic: An analysis of over 1100 targeted domains'. Together they form a unique fingerprint.

Cite this