Phishing in the Time of COVID-19

Published on 08 Jul 2020

Updated on 08 Jul 2020

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.


COVID-19 has forced individuals, businesses and governments to rapidly adopt new technology tools and systems to maintain business continuity. This in turn increases their ‘attack surface’, and exposes them to new cybersecurity risks – often without adequate mitigations in place.

As the pandemic continues to grip headlines around the world, threat actors have taken advantage of the pandemic to carry out cyber-attacks against their targets. Earlier editions of CyberSense have outlined how threat actors have capitalised on the pandemic, and targeted the nascent work-from-home ecosystem. This edition of CyberSense takes a closer look at key trends surrounding COVID-related phishing lures*.

* Phishing is a common technique used by threat actors to trick people (typically through e-mails) into divulging personal information, transferring money, or installing malware.

Global Phishing Trends

CSA’s research corroborates observations by cybersecurity companies that COVID-related malicious activity, including phishing attempts, rose globally, and closely tracked the real-world impact of the pandemic. From March to April 2020, cybersecurity company RiskIQ reported thousands of newly registered domains (NRDs) containing COVID-related keywords.; Palo Alto Networks classified 86,000 domains of 1.2 million NRDs they observed as “risky” or “malicious”. CSA likewise observed sharp spikes in malicious COVID-related URLs from February 2020 onwards.

In addition, threat actors evolved their tactics, expanding the range of spoofed websites from general pandemic references to broader themes. Popular online shopping and streaming services (e.g. Amazon, Netflix) were commonly spoofed during government lockdowns, as threat actors attempted to capitalise on the increased demand for these services. In fact, many malicious URLs combined general pandemic keywords with payment and email themes for added saliency.

Threat actors were also observed to carry out targeted, email-based malware campaigns. In May 2020, Microsoft reported on a spear-phishing campaign, in which emails containing “WHO COVID-19 SITUATION REPORT” attempted to download and run NetSupport Manager Remote Access Tool (RAT) – a tool which would allow attackers to take control of the victims’ devices. IBM similarly observed a TrickBot email malware campaign purporting to inform employees of changes to the US Department of Labor’s Family and Medical Leave Act due to COVID-19.

Figure 1: Sample phishing email on "WHO COVID-19 SITUATION REPORT". Source: Microsoft Security Intelligence.



In line with global trends, CSA observed over 1,500 malicious phishing URLs targeting Singapore from March to May 2020. This was more than double the number from the preceding three months. These included URLs attempting to spoof entities whose services were in greater demand during Singapore’s circuit-breaker period, such as online shopping and payment services. Separately, the Singapore Police Force (SPF) reported over 151 reported phishing scams between 7 Apr – 7 May 2020 – more than five times the first five months of 2020.

Threat actors may find it more lucrative to spoof multi-national companies with a global presence to spread wider net targeting potential victims. While the overall number of malicious phishing URLs spoofing Singapore entities are relatively small relative to multi-national companies, phishing still remains a prevalent threat to members of the public and enterprises.

In late June 2020, Singapore was reportedly named as one of six countries to be targeted in a global phishing campaign. Based on the report, phishing emails would be sent from a spoofed email account from the Ministry of Manpower to businesses, offering additional support of S$750 for their employees.

Figure 2: Phishing email purportedly targeting Singapore. Source: CYFIRMA.



As many important aspects of our lives move to cyberspace, companies and individuals may wish to refer to CSA’s advisory on staying Cyber-Safe for the Singapore General Election 2020 for important cyber hygiene measures we can adopt in this sensitive time. 

For more information on the rise of cyber threats capitalising on the COVID-19 pandemic, readers may refer to the newly launched Singapore Cyber Landscape 2019 report.



CYFIRMA, IBM, Microsoft, Palo Alto Networks, RiskIQ,ThreatPost, Tech Republic, ZDNet