The development of phishing during the COVID-19 pandemic: An analysis of over 1100 targeted domains

To design preventive policy measures for email phishing, it is helpful to be aware of the phishing schemes and trends that are currently applied. How phishing schemes and patterns emerge and adapt is an ongoing field of study. Existing phishing works already reveal a rich set of phishing schemes, patterns, and trends that provide insight into the mechanisms used. However, there seems to be limited knowledge about how email phishing is affected in periods of social disturbance, such as COVID-19 in which phishing numbers have quadrupled. Therefore, we investigate how the COVID-19 pandemic influences the phishing emails sent during the first year of the pandemic. The email content (header data and html body, excl. attachments) is evaluated to assess how the pandemic influences the topics of phishing emails over time (peaks and trends), whether email campaigns correlate with momentous events and trends of the COVID-19 pandemic, and what hidden content revealed. This is studied through an in-depth analysis of the body of 500.000 phishing emails addressed to Dutch registered top-level domains collected during the start of the pandemic. The study reveals that most COVID-19 related phishing emails follow known patterns indicating that perpetrators are more likely to adapt than to reinvent their schemes.


Introduction
The crisis resulting from the COVID-19 pandemic has had profound implications worldwide, on, among others, global health and health systems ( Walker et al., 2020 ), the global social and economic situation, and almost every other aspect of daily life ( Atkeson, 2020;Nicola et al., 2020 ). In particular, lockdown measures and social distancing have caused a great change in the routine activities of many people. For instance, in countries around the world, the pandemic had a dramatic impact on travel patterns, such as the number of trips, distances travelled, purpose of travel, and choice of travel mode ( Cats and Hoogendoorn, 2020 ). There was a decrease in the use of cars and public transport, as well as an increase in walking and cycling, which involved more recreational trips. Other changes in activity patterns occur more in online shopping. Dutch data showed a shift in movements in time and space, but not necessarily in the number of trips that people have been making. For example, the pedestrian data show more walks in parks on the weekends while far fewer people walk on * Corresponding author.
E-mail address: r.e.hoheisel@utwente.nl (R. Hoheisel) . the streets ( Cats and Hoogendoorn, 2020 ). Overall, the Dutch went out less often to buy groceries, shop, exercise, and visit people ( de Haas et al., 2020 ). A lot of research shows that opportunities for crime and people's routine activities are relatively strongly related to crime. The amount of time individuals spent outdoors and the activities they are involved in are in strong correlation with their likelihood of becoming a victim of a broad variety of crime types, including property crime ( Kennedy and Forde, 1990;van Kesteren et al., 2013 ), violence ( Sherman et al., 1989;Tilley and Sidebottom, 2015 ), and fraud ( Holtfreter et al., 2008 ). As COVID-19 changed opportunities for crime, it is plausible that the lockdown affected crime rates. This also suggests that the societal changes because of COVID-19 would also impact trends in crime-related activities.
In the US ( Ashby, 2020;Boman and Gallupe, 2020;Bullinger et al., 2020;Felson et al., 2020;Mohler et al., 2020 ) and in Canada ( Hodgkinson and Andresen, 2020 ), countries with a more noncommittal approach to covid restrictions (e.g., lockdowns), declines in physical crime were indeed found during the pandemic, but overall results seemed to be relatively inconsistent. The studies show that there were usually no significant changes in the frequency of serious assaults in public or in the frequency of serihttps://doi.org/10.1016/j.cose.2023.103158 0167-4048/© 2023 The Author(s). Published by Elsevier Ltd. This is an open access article under the CC BY license ( http://creativecommons.org/licenses/by/4.0/ ) ous assaults in residences. In some US cities, there were reductions in residential burglary but little change in non-residential burglary ( Ashby, 2020;Boman and Gallupe, 2020;Bullinger et al., 2020;Felson et al., 2020;Mohler et al., 2020 ). European studies seemed to find a stronger impact of the measures taken to fight the virus. In France, almost all crimes and the associated measures for about every type of crime showed a very strong decline during the lockdown. More specifically, fraud overall declined as well ( InterStats, 2020 ). Similarly, in the UK victim surveys found a decline in crime of 32% (excluding fraud and cybercrime) and a similar decline of 31% in police-recorded crime. Fraud and computer misuse also fell by 16% ( Office for National Statistics UK, August, 2020 ). These findings illustrate the extent to which offenders are responsive to the context and respond quickly and flexibly to changed circumstances. It seems plausible that the impact of crime is proportional to the extent to which stringent measures were taken by governments and followed up by citizens in each country. Stringency index numbers during the first lockdown (March 2020) provide an indication of this difference ( Mathieu et al., 2020 ). This might explain the difference between the USA and Canada and Europe and suggest the impact of the lockdown on routine activities and opportunities in Europe and in North America.
Fewer studies investigated the impact of the COVID-19 crisis on cybercrime. While there was a decrease in physical-related crime activities ( Europol, 2020 ), e.g., property crime, during the first COVID-19 outbreak in Europe, a noticeable shift and surge took place towards online fraudulent activities ( Buil-Gil et al., 2020 ). A significant increase in particular was observed in phishing, which has quadrupled during the outbreak ( APWG, 2020a ) and has increased eightfold since then ( APWG, 2022 ). In the Netherlands and other countries, phishing is considered a criminal activity and is actively prosecuted ( Rechtsraak, 2022 ). Fraudsters have often "benefited" from disasters ( Aguirre and Lane, 2019 ). To illustrate, attackers have made extensive use of the COVID-19 crisis to design phishing emails. Typical examples reported in the media are zoom phishing emails, fraudulent CEO emails, and phishing emails aimed at healthcare institutions ( APWG, 2020b ). This sudden rise of COVID-19 phishing fraud as a global problem may be explained by the COVID-19 outbreak. That is, because the social disturbance resulting from a disaster makes society typically more vulnerable to fraudulent activities, hence, more susceptible to phishing attacks ( Aguirre and Lane, 2019 ). We should be aware of the magnitude of impact these COVID-19 related fraudulent activities may cause. In particular, because this impact is often underestimated ( Lastdrager, 2018 ). Phishing, apart from its effectivity to gain direct financial gain ( Laan, 2021 ), is also the typical starting point for leads to successful cyber attacks and resulting data breaches, of course, associated with all sorts of financial losses ( CNBC, 2020;Lastdrager, 2018 ). All such organizational as well as societal costs ask for preventive measures to increase resilience against cyberattacks, such as awareness campaigns, and the ability to timely scale customer support when novel phishing schemes or adaptions are noticed or expected.
Based on these observations, we must recognize the importance of analyzing new phishing behavior that appeared during the pandemic. Therefore, this study focuses on COVID-19 related phishing emails to understand better how attackers adapt to new societal conditions. This analysis produced two types of contributions. On the one hand, this paper provides insights that lead to revealing patterns of fraudulent characteristics that were applied in the phishing schemes, which may be used in support of societal awareness campaigns of phishing that reduce the societal costs of cybercrime. On the other hand, this paper shows that phishing scheme adoption is commonly observed, and seems preferable to novel scheme development. This paper further reflects on this adaption choice by attackers from multiple theory perspectives to explain this behavior.
The rest of this paper is organized as follows. Section 2 reviews the related work. Section 3 explains the research method. Section 4 presents the results of the COVID-19 phishing email analysis. Finally, Section 5 discusses all results followed by conclusions in Section 6 .

Related work
The increase in cyber attacks during the pandemic has triggered several studies researching how cybercriminals develop new attacking strategies and fraudulent operations. These new studies roughly focused on two types of cybercrime, i.e., cyber-dependent crime ( Furnell et al., 2015 ) and cyber-enabled crime ( Lallie et al., 2021 ); where cyber-dependent crime covers hacking, malware, and denial of service, cyber-enabled crimes covers financial fraud, phishing, pharming, and extortion. This related work section provides a review of the literature related to cybercrime during the COVID-19 pandemic, with a focus on phishing.
A number of studies are conducted that aim to prevent cybercrime during the COVID-19 pandemic. In one case study by Groenendaal and Helsloot (2021) , cyber strength during COVID-19 is analyzed and possible approaches for improvement are discussed. The authors followed a well-accepted theory in cyber resilience, i.e., the resilience analysis grid proposed by Hollnagel (2017) . The grid allows organisations to measure the performance on four potentials: (i) anticipate, (ii) monitor, (iii) respond, and (iv) learn, as is suggested that the potentials are dependent and alignment would create better cyber resilience. In addition, several studies address the need for more awareness about cyber attacks given the increase in cyber attacks during the crisis. Alzubaidi (2021) contributed to this direction by surveying the level of cyber awareness in Saudi Arabia. The study discusses the most common security tools used by internet users and their cyber security habits. The authors recognized security awareness training is a must for different organizations, especially in the field of phishing due to the increase in cyber-attacks. Since cyber-criminals frequently use different mechanisms for online scamming, awareness about possible strategies contributes to protecting them from such crimes. This pandemic offered them a chance to exploit these attacking mechanisms and apply them to those already worried. Chawki (2021) performed case studies in the USA and the European Union and proposes plausible ways to safeguard online users from such attacks. The results from the cyber-criminal forums indicate that healthcare agencies were prime targets for such fraudulent activities where attackers gain visibility on confidential documents about patients ( Alghamdi, 2022;Chawki, 2021;Gafni and Pavel, 2021 ).
Other researchers compared the criminal patterns during the COVID-19 outbreak to other pandemic outbreaks. Levi and Smith (2021) compared COVID-19 with the Spanish flu pandemic of 2018 by analyzing the common features that lead to different crimes impacting society. Along with the Spanish flu, they focused their interest on other different flues that occurred in the world, such as the Asian flu , the Hong Kong flu (1968), and the Swine flu (2009-10). The comparative approach resulted also in the identification of new types of attacks during this pandemic and a proposal of best practices to avoid such attacks.
Furthermore, phishing emails have been analysed in several studies with the aim to detect time patterns during the COVID-19 pandemic. To understand diverse attacks during the pandemic, Lallie et al. (2021) proposed a world timeline analysis of COVID-19 (from 2019 to 2020). They searched for patterns occurring along with COVID-19 related events in different countries (e.g., China, the UK, Spain, the USA, Italy, and the Philippines). Events included, among others, government announcements and articles and reports published by the media. The study concluded that 86% of cyber-attacks out of 43 involved phishing and/or smishing. The researchers further identified new malicious website domain registrations with Corona-related keywords and proposed a few solutions to diminish the cyber-attack rate. The study on cybercrime and its trends are further analyzed by Kemp et al. (2021) based on the reported crime in the UK. They considered the timeline analysis which further can be deviated based on the number of crimes reported during the moment. Also, Venkatesha et al. (2021) performed a similar study by identifying the cause of social engineering attacks during the COVID-19 pandemic and proposed a few techniques to avoid such attacks. The work of Sood et al. (2021) detect trends in the total number of malware and phishing-related messages blocked by Google during April 2020 in both emails and communication tools such as Google Meet ( Kumaran and Lugani, 2020 ).
Another group of studies focuses on identifying and aggregating the modus operandi used in phishing emails during the COVID-19 pandemic. A survey of Al-Qahtani and Cresci, 2022 reviewed 54 studies about phishing attacks and analysed the modus operandi and the proposed techniques for detecting COVID-19 phishing, smishing, and vishing attacks. As indicated in the Microsoft Digital Defense Report, phishing attacks consist of almost 70% of all cyber attacks ( Kali ňák, 2021 ). The work of Akdemir and Yenal (2021) analysed 208 COVID-19 phishing emails in April 2020 and identified 9 subjects that were used to target organizations and individual users, being fear appeals, urgency cues, source credibility, authority, liking, social proof, consistency commitment, scarcity, reciprocity (many of Cialdini's principles Cialdini and Sagarin, 2005 ). The study by Sharevski et al. (2022) explored, in a laboratory setting, the susceptibility of people to phishing via QR codes, a technology often used during the COVID-19 pandemic.
There is also attention to the automated classification of COVID-19 related phishing emails. Since phishing has grown to substantial sizes, multiple researchers ( Alsmadi and Alhami, 2015;Hamid and Abawajy, 2013;Karim et al., 2020 ) considered machinelearning algorithms such as K-means, OPTICS, K-modes, etc. for email clustering ( Zubair et al., 2021 ) and classifying the email contents according to similarity of features to quickly gain insights into the malicious activities performed by the attackers, i.e., the modus operandi. There are behaviour-based classification methods ( Hamid and Abawajy, 2011;Toolan and Carthy, 2010 ) investigated along with the content analysis of the emails ( Basnet and Sung, 2010;Fette et al., 2007 ), and email profiling methods studied to detect patterns in, for example, important email features such as hyperlinks, email subject, ( Gansterer and Pölz, 2009;Hamid and Abawajy, 2013;Yearwood et al., 2012 ) header and domain features ( Karim et al., 2020 ), and URLs in the message content ( Afandi and Hamid, 2021;Ispahany and Islam, 2021 ). The literature further reports on systems and case studies of automatic phishing classification (i.e., to determine if emails are phishing or not). In that regard, Karim et al. (2020) proposed an automated framework for anti-spam detection that exploited unsupervised methodologies. Ispahany and Islam (2021) proposed a machinelearning classification technique for detecting malicious URLs. In the proposed framework of Xia et al. (2021) , COVID-19 related keywords were identified to detect malicious domains. In addition, Afandi and Hamid (2021) exploited the KNN algorithm to detect phishing hyperlinks by considering the four datasets Phish-Tank, Kaggle, SpyCloud, and DomainTool. However, their study was limited to five features of the hyperlinks which have more room to analyze the fact in detail. Further, Kawaoka et al. (2021) ; Pletinckx et al. (2021)  chine learning methods, such as decision trees and fuzzy logic, to learn the malicious URLs. Also, natural language processing techniques ( Sahingoz et al., 2019 ) and Shannon's entropy ( Verma and Das, 2017 ) are used to determine the maliciousness of a URL. At last, a case study on Twitter data explores the malicious and inconsistent URLs during COVID-19 to identify link-sharing patterns ( Horawalavithana et al., 2021 ). The authors suggest improving topic moderation techniques on Twitter data that mitigate the intent of poor players in promoting malicious activities. Besides, one can further investigate the quality of these poor players and how they can effectively plan their road map during the crisis.
Finally, studies have been conducted that concentrate on the crime patterns and the shifts to online crime in general ( Hardyns et al., 2021 ), and victimization during COVID-19. Hardyns et al. (2021) , for example, studied common crime patterns such as burglary, violence, vehicle theft during the pandemic in Belgium. They found that, for example, cases of domestic violence and the general crime rate reported during the Corona period were similar from 2015 to 2019 but growth was observed for cybercrimes, particularly phishing and online scams. Therefore, victimization should also be taken into account to understand and analyze the activities performed by attackers, as the fraud committed during COVID-19 affects the victims socially and mentally. Such a study was conducted by Kennedy et al. (2021) by surveying 2200 Americans during COVID-19. Although the paper discusses the facts of the victimization and proposes solutions to mitigate cybercrimes at a particular time of COVID-19, the authors also point out that proposed solutions are consistent with studies conducted in other periods before the pandemic.
As discussed in the literature ( Aleroud and Zhou, 2017 ), many studies have been conducted to understand and analyze the behavior of cybercriminals. Furthermore, various methods have been proposed to mitigate malicious activities. However, a thorough analysis on understanding the characteristics of phishing emails during COVID-19 is lacking. In the present study, we analyze the behaviour of cyber criminals concerning phishing emails received at firm domains in the Netherlands. In addition, the research examines the impact of COVID-19 on phishing emails by considering various trends and events announced by the government.

Methodology
With the importance stressed for analyzing new phishing behavior that appeared during the pandemic, the present study focuses on COVID-19 related phishing emails including an analysis of the contents and a trend analysis, to understand better how attackers adapted to new societal conditions. The goal of the analysis is to create insights into applied patterns abusing the COVID-19 pandemic to deceive people with their phishing schemes. This leads to the following key research question: which effects did COVID-19 have on patterns in phishing emails?
The key research question is concerned with creating explanations for applied practices (behavior) of cyber criminals in a time of crisis. This is a typical interpretive question since it aims to gain in-depth knowledge of actor behavior in their natural context while developing an empathetic understanding of their actions ( Goldkuhl, 2012 ). As phishing is an illegal activity in most countries it is difficult to directly interact with actors on a large scale to study the patterns of behavior. Also, in the Netherlands, email phishing is a criminal activity that is actively monitored and prosecuted ( Fraudehelpdesk, 2023;Rechtsraak, 2022 ). The data trail phishers create, however, prevails as a rich source to gain a largescale overview and create insights into COVID-19 related phishing. Therefore, we adopt a quantitative research approach. The data collection is based on a document (email) analysis and the empirical method selected is content analysis. We intentionally do not dif-ferentiate between perpetrators' motivations and specific types of criminals such as nation-state actors, hacktivists, or people motivated by the thrill of criminal activities. Although it would be interesting to determine the motivation of the sender of the phishing emails studied, our data does not allow us to identify the perpetrator, nor do we consider it to be the scope of this study. The study aims to understand the emergence and adaption of content related to COVID-19.

Dataset description
The dataset used in this research contains COVID-19 related phishing emails. This data was collected by Tesorion. 1 The emails are collected via 1105 top-level domains 2 that were previously managed by Tesorion, but are taken out of use. The data was collected between Jan 17th 2020 and 8th of March 2021. The selection of this data is based on the initial start of collection by Tesorion just before the European pandemic outbreak until about one year after the first COVID-19 restrictions were announced in Europe. The inclusion criteria for emails to be classified as COVID-19 related emails was based on a list of COVID-19 related keywords such as Covid-19, corona, or Pandemic (for the full list see Appendix A ). The list of keywords has been derived from several other papers and online sources discussing corona-related phishing and corona-related spam ( Chen et al., 2020;Cinelli et al., 2020;Kouzy et al., 2020;Kousha, Thelwall;Mimecast, 2020 ). The total number of corona related emails received to these domains is 1.076.541. The emails contain the following key features that are used for the analysis, mail_id , received_date , from_address , subject , filename , hash , plain_body , html_body to_domain_id , and attachment

Pre-processing data
To prepare the data, we follow the guideline for pre-processing as described in Gibert et al. (2016) . This resulted in the following filtering and pre-processing steps for this study (see Fig. 1 for process flow): 1. First, we divide the initial data set (1.076.541 emails) into emails having attachments (148.295) and those without (928.246). This study focuses solely on the analysis of emails without attachments to gain insights as we are highly interested in the body content of emails that can be further analyzed by NLP techniques. Attachment analysis is much more software injection oriented, and falls beyond the scoping of this paper, but is addressed later as future work. 2. On the COVID-19 related email data (without attachments) we apply a number of filters to the html body content with the aim to retrieve the textual content only so that it can be used for topic modelling. The following functions are applied in order: (i) use of the beautifulsoup python package ( Crummy, 2021 ) to get textual contents of emails, (ii) remove email addresses, (iii) remove all non-ascii characters, (iv) lowercase all words, (v) remove urls, (vi) remove html special characters, (vii) remove all types of brackets, (vii) remove unnecessary white spaces, tabs and newlines, (viii) remove (e) numerations, (iX) remove punctuation. 3. The initial dataset contains emails in different languages such as English, Dutch, French, and German. Therefore, we determined the language of each email using the Python package CLD3 ( Google, 2020 ) and only applied further pre-processing on English emails. By targeting only English language-based emails we reduce the challenges of analyzing emails in other languages while doing topic clustering. That further helped to achieve the research goals effectively. This step reduces the dataset to 594.895 emails. 4. In addition, we removed emails with duplicate email body which further reduced the data set to 104.228 unique emails. 5. In the next step, we determined for the emails which of them are phishing emails. This was achieved with the help of the VirusTotal ( VirusTotal, 2020 ) API, resulting in the identification of 29.171 phishing emails. VirusTotal is to date considered one the top performing tool for classifying phishing emails ( Choo et al., 2022a ). Current studies evaluate the accuracy of the VirusTotal phishing classification to be at 81.72% ( Choo et al., 2022a ). To determine whether a URL is regarded as phishing, VirusTotal queries over 70 antivirus scanners and services to return whether and how many services flagged a submitted URL as malicious ( VirusTotal, 2022 ). The topic model analysis, further described in Section 3.3 , is based on those phishing emails. The motivation for taking all phishing emails (including similar emails) as the basis for the topic model analysis is to consider all possibly relevant topics. 6. To prepare for topic analysis, we removed common words from the email body to derive a more refined set of words determining topic clusters. Firstly, we remove all common words and stop words based in the NLTK corpus ( NLTK, 2021 ). Secondly, we filter the 35.0 0 0 least significant words according to Term Frequency Inverse Document Frequency (TFIDF) ( Luhn, 1957;Spark Jones, 1972 ). This number was determined through human experimentation. Finally, we remove keywords that had too much overlap with other clusters when indicated by at least 2 authors of this paper, with the goal to make topic clusters more distinct from each other. The keywords removed are: "view", "email", "click", "offer", "shop", "free", "com", "open", "sale", "house", "health", "detail", "unsubscribe", "company", "store", "app", "address", "buy", "receive", "day", "delay", "business", "south", "said", "product", "delay", "game", "week", "new", "test", "covid", "coronavirus", "trade", "united", "best", "service", "time", "change", "online". 7. In the next step, we removed phishing emails, which do not have an identical but very similar email body, using the discrete cosine similarity measure ( Manning et al., 2008 ). The goal of this step is to reduce noise to better identify existing trends. We used a similarity value of 0.95. This number is determined through human inspection ( Akhtar et al., 2017 ) about the effectiveness of duplicates removal (reviewing small samples of emails over the similarity value and whether these concern near duplicates or not). This refers to searching for an optimal True Positive/False Positive rate based on the parameter setting (here similarity value), but on a small sample rather than the full dataset since the data is not annotated for similar items and doing so would require severe efforts. The removal reduced the phishing emails to 11.765, and formed the basis for the trend and timeline analysis (see Sections 4.2 and 4.2.2 ). 8. After having identified meaningful patterns, a set of emails remained in which potentially more patterns could be found. Therefore, we removed identified patterns as well as emails that can be grouped together but do not describe a technical or semantic pattern used by criminals (see Section 4.5 ). As an example, we identified around 100 Google Alert emails, 3 which haven been possibly falsely classified as phishing. This step reduced the dataset size to 7.397 emails.

Analysis approach
In order to investigate how attackers use COVID-19 keywords in their phishing schemes, we searched for a model that can represent texts of different sizes in a feature space that clustering algorithms can work with (see Fig. 1 , topic modelling). We decided on using a Doc2Vec ( Le and Mikolov, 2014 ) method in combination with clustering algorithm k -means ( Lloyd, 1982 ), similar to the approaches by Budiarto et al. (2021) or Wang and Kwok (2021) . The choice for selecting Doc2Vec over other methods, such as bagof-words ( Harris, 1954 ) to represent textual data, was its ability to incorporate the semantics of a text in its model ( Le and Mikolov, 2014 ). In the course of the analysis, we realized that this method does not work well with our data. The used clustering method ( k -means) could not find meaningful clusters. We did not investigate in detail why Doc2Vec did not work on the data used in this study however, we suspect that the quality of the data in terms of large differences in lengths of emails, semantically incorrect emails (seemingly randomly combined text blocks) and emails having multiple topics, was not good enough to create satisfying results. As a result we tried a popular statistical model, Latent dirichlet allocation (LDA) ( Blei et al., 2003 ), to find clusters (topics) in the dataset. The standard Gensim LDA model ( Ř ehu řek, 2021 ) is used in combination with the pyLDAvis ( Mabey, 2021 ) library to visualize the topic clusters. In order to get the ideal number of clusters, we tried several values to see with which number of clusters we get a reasonable outcome (see Section 4.1 ).
The second and third analysis concern trends and timelines. We tried to understand whether phishing emails follow any trends or relate to specific events. To get insights into the general timeline of phishing emails, we used standard python visualization libraries such as matplotlib ( Matplotlib.org, 2022 ) to create time plots. When we observed spikes or other interesting points in the graphs, we investigated manually what types of emails are part of that spike. This research further investigates whether phishing campaigns made use of current events related to corona. As a reference, we used the timelines of COVID-19 measures and other related events of the Dutch government ( Ministerie van Volksgezondheid, 2023 ) and the WHO ( World Health Organization, 2022 ). For the verification, we inspected the days where high number of emails were received and manually checked emails whether they mention any events around that day that are listed in the timelines. The fourth analysis searches for date patterns. The fifth analysis is concerned with hidden content. During the topic model analysis, we observed that emails contained hidden text, e.g., white letters on white background. We then used regular expressions to find more of this type of emails to get a better insight into this pattern (see Section 4.3 ). Finally, we assessed if dominant patterns or trends would have distorted data that would impair our view on existing patterns. We subtracted the identified patterns to assess if the remainder contained interesting patterns. For the verification process, we formed two assumptions with which we could verify whether our findings are proven to be correct. Fig. 2. Overview of topics and how they were merged. Advertisement : COVID-19 related emails that advertise various types of products to the recipient. News : COVID-19 related emails containing news to the reader on all sorts of topics. Information : COVID-19 related emails with the goal to inform the reader about various business topics/situations/regulations etc. Government : COVID-19 related emails that concern political or governmental affairs. Medical : COVID-19 related emails that are focused on health or healthcare in a broader sense. Other : COVID-19 related emails to which no general topic was found.
1. If we remove dominant patterns and other frequently occurring types of emails (see Table 1 ), the general trend remains unchanged in the data. That means, the trend is not shaped by dominant data, but appears as a general trend (caused by a larger group of attackers/attacks). 2. If we remove the dominant pattern, there are no other spikes appearing in the data. That means, it is likely that we have caught the largest campaigns that are event/date specific.

Analysis: patterns and potential explanations
This section presents and interprets the results of this study. First, the results of the topic model are presented in Section 4.1 , followed by an overview of the number of received phishing emails during the time frame of the dataset ( Section 4.2 ). Subsequent sections discuss correlations between phishing emails and COVID-19 related events, as well as findings in domains, time and date of received emails ( Sections 4.2.1 -4.2.3 ). Following this, Section 4.3 highlights identified trends and patterns. Then, we conduct the verification ( Section 4.4 ). The chapter ends with a summary of the identified patterns ( Section 4.5 ).

Topic analysis
The topic analysis clustered all emails classified as phishing emails in 22 topics, then further merged to 17 clusters to finally derive to 6 unique high-level topics (see Fig. 2 ). The LDA algorithm was used to identify the most satisfying number of topics. In order to assess the coherence of the formed topics in a technical way, we relied on metrics such as C_V metric, UMASS and normalized pointwise mutual information (NPMI) ( Röder et al., 2015 ), with values 0.582, −2 . 799 , and −0 . 00376 respectively. Röder et al. (2015) suggest that NPMI is in this regard the best topic coherence metric for optimization. Obtaining a score close to zero is a good result, but should be seen in the context of the data source. To determine the 'goodness' of topic independence, we relied on the visual inspection of 50 randomly selected emails from each topic/cluster by maintaining the balance between the effort s and the number of emails in each topic. If there was an explanatory pattern among the emails, e.g., the majority concerns Nigerian prince scams, we accepted a topic cluster as reasonably coherent. Even though the topic clusters were initially perceived as sufficiently coherent, cer-tain topics were so closely related that they could be merged together and in a following step associated with a more general topic as seen in Fig. 2 . The process of merging these topics was carried out in two steps: (i) from 22 to 17 to find sufficiently distinct topics, and (ii) from 17 to 6 to group more refined topics in a more general way. The colored numbers in Fig. 2 refer to the size of the topic in relation to the cumulative size of all 6 topics. The blue is based on the phishing dataset and the red one on the reduced dataset where similar emails have been removed (see Fig. 1 ). Figure 3 shows the size of the each of these clusters over time, based on the same dataset as the topic model. It becomes clear that the number of COVID-19 related phishing email is the highest at the beginning of the pandemic in the Netherlands. Especially emails with health related topics (medical) show a high increase decrease during this period. This might indicate that phishers were particularly framing emails around medical services or goods at the beginning of the pandemic when those products where in high demand. Figure 3 shows an increase of the topics: 1) information, 2) news, 3) advertisement, and 4) medical, related to the two lockdowns in the Netherlands (start 'intelligent lockdown' 23rd March-31 May 2020, and 'full lockdown' 15th Dec 2020-23rd Jan 2021), while the : 5) government, and 6) other, remain relatively constant. Figure 4 shows the number of COVID-19 phishing emails over the time period in which the phishing emails were collected. The figure shows some spikes on days or short periods in which the number of COVID-19 phishing emails are substantially higher than during other periods.

Timeline overview
An example of one of these spikes is at March 26th, 2020. Of all the emails received on that day, almost 80% have similar characteristics. These mails are sent from the same domain ('unfortunatedeadly.icu'), contain a hidden pixel , and have similar elements within the HTML body to arrange the formatting of the phishing email but with different unintelligible textual content. All these emails are trying to scare the reader into buying face masks. Other spikes, such as 6th of July 2020 and 14th of December, are also caused by phishing campaigns but with an alternative characteristic pattern and phishing scheme (i.e., Profiled purchasing ( Hamid and Abawajy, 2013 ) compulsive buying ( Halevi et al., 2015 ) deals too good to be true ( Kirlappos and Sasse, 2011 ) ( continued on next page )  ( Lastdrager, 2018;Ramzan and Wüest, 2007 ) peak pattern ( Drury et al., 2022 ) fake news headlines with link to a store (6th), and selling home warranty protection plans (14th)). If we decompose the peaks in the analysis of Fig. 4 into the topic clusters forming the peak, we observed that those peaks are constructed primarily by one topic cluster as seen with the peak on March 26th. That suggests that the peaks are the result of a phishing campaign.

Timeline correlated COVID-19 events
We analyse correlations between events concerning measures or other events regarding the COVID-19 pandemic and the contents of phishing emails. The initial assumption was that some spikes and trends (in Fig. 4 ) would correlate with specific events. How-ever, none of the spikes could be traced back to corona-related events using the approach explained in Section 3.3 . It seems, therefore, that most large phishing campaigns are not event-related, last a few weeks, and the launching of new campaigns follow a steady pacing pattern resulting in continuous steady amount of COVID-19 phishing emails. All the spikes (in Fig. 4 ) could be explained by phishing campaigns that were sent out with a slightly altered content but in a similar structured format. We did find trend alternations associated with corona-related events.
• The number of phishing emails takes a sudden rise from the 12th of March. The rise is likely associated with national aware-  ness and announcement of pandemic entrance and the consequential political decisions taken regarding pandemic control ( Cucinotta and Vanelli, 2020 ).
-On the 12th March a press conference was held in The Netherlands in which the first nation-wide strict measures were announced (e.g., canceling events and closing higher education). -On the 16th March followed a TV speech of the Dutch prime minister (Mark Rutte) in which he addressed the nation about the notion of the COVID-19 virus (last address to the Nation was in 1973 oil crisis). • From April 2020 the trend is slowly decreasing until August 2020 after which it stabilizes. • The low amount of COVID-19 related emails in the summer months could be caused by the ease of restrictions during that time (email is less read and people are less scared of COVID-19 hence fall for phishing schemes).

Date patterns
Working patterns of cyber-criminals are considered when dates, time (in hour), and/or number of emails seem to correlate.
As showcased in Fig. 5 , there is a growth pattern in COVID-19 phishing emails between 9:00 (strongest increase) and 17:00 (strongest decrease after the plateau), reflecting the "9:00 to 17:00" workweek, the common working pattern (before COVID-19) of many organizations (i.e., the start for Dutch organizations is generally at 8:30 and ends at 17:00 with a half an hour break at 12:30-13:00). Remarkable is the highest peak at 11:00 (a little after the second coffee break, on average starting 10:30 lasting some 10 to 15 min). The peak is followed by a 'lunch time' dip from 12:00-13:00-, followed by a plateau from 14:00 to 16:00. The second slight peak at 16:00 may be explained by phishers aiming for the 'getting to home early to pick up my kid rush'. This way it may be easier to deceive people and secondly may provide more time for phishing to be discovered since the employee went home, leaving work tasks and taking off their work minds. The distribution on the weekend is more varied and coincides with the 11 h peak during working days. In addition, it shows that also on the weekend most emails are received during working hours. There are two hypotheses to explain the highlighted patterns between 9:00 and 17:00 of Fig. 5 . On the one hand, it could be that criminals believe that by following a usual working day makes their phishing more effective, but the emails are sent automatically. On the other hand, it could reflect the working hours of criminals showing that they also follow a '9:0 0-17:0 0' job and send emails during their working hours.
In line with Ramzan and Wüest (2007) and Lastdrager (2018) , we notice a sharp drop of nearly 50% in received emails during the weekend as reflected in Fig. 6 . Figure 7 shows the number of phishing emails containing URLs with the domains listed in the legend. For this analysis, the 5 most occurring phishing domains are selected. The lifetime of the domains varies greatly. For example, all emails with phishing URLs from 'kiolyduke.casa' and 'unfortunatedeadly.icu' are received in a span of less than 4 h. Phishing campaigns lasting for several hours to a few days is in line with the findings of other researchers, such as McGrath and Gupta (2008) ; Moore and Clayton (2007) ; Oest et al. (2020) . In contrast, emails containing phish-   ing URLs from the 'covidvirus.guru' domain appeared over several months. The extended use of the domains 'edmcn.cn' and 'app1.ftrans01.com' is likely due to those being domains of content sharing providers.

Hidden text analysis
The motivation of identifying hidden text is to recognize new phishing schemes adopted by attackers during the pandemic.
The first phishing scheme was found consisting of the pattern that text was obfuscated by coloring text white on a white background as shown in Box 1 , making it invisible for the reader.
For some of the hidden text found in the HTML files there is a logical explanation for its presence. For example, many emails make use of the 'HTML Email Preheader Text', which sets the content that appears as a small line of text after the subject line in an email inbox by inserting a hidden directly after the element ( Mailtrap, 2022 ).
Example 1. Hidden text. Some emails contain the small font-size (usually 1 or 2 pixels, with the exceptional case of 0.001 px) as well as the white color trick. The hidden texts are either a collection of nonsense words (refer to Example 1 ) varying form a few words to a paragraph of text, or short texts taken from online sources, e.g., news websites such as BBC.com.
In many phishing emails, we observe the appearance of these small samples of non-sense text repeatedly within a single email. It is likely that these fragments are used to circumvent spam-filters by adding seemingly reliable data into the mail to disguise real phishing intentions.
The emails that adopted the hidden text are frequently about face mask offers (see Fig. 9 (d)). Those emails are sent from different addresses and have different contents and subjects, which could indicate that those are created by different adversaries. However, there is no easily observable relationship that explains the coherence between the use of the phishing pattern (hidden text) and selling of masks.
Another remarkable observation is that a substantial part of the mails (although from different senders and relate to different subjects), make use of the trick to include an clickable image (via i.imgur.com, see Fig. 8 ) that forwards you to the intended malicious website, which is positioned at the bottom section of the mail and displays a fictive clickable link stating "Unsubscribe Here". Variants display "Manage subscriptions" or "if you do not wish to continue receiving email newsletters click here".

Verification
By inspecting the resulting dataset (dominant patterns removed), we observe that the trends discussed in Section 4.2.2 (emails are received mostly during working hours, large decrease of emails on the weekends) are also present, which supports assumption 1. For assumption 2, we examined whether there are any spikes appearing in the timeline of received phishing emails (similarly as in Section 4.2.1 ). We could identify multiple peaks, however, we could not find any major patterns or relations in these emails to any specific event, hence, conclude there is support for our second assumption. However, we did find emails sharing a characteristic. For example, we identified emails containing base64 encoded instructions, or emails with bit.ly links and news headlines. Table 1 lists all our findings in that regard.

Summary of patterns
We first provide an overview of different identified COVID-19 related patterns in Table 1 . Then, we show how the results of Sections 4.2.1, 4.2.2 and 4.3 were verified and checked for incompleteness.
The different identified ways in which COVID-19 related keywords have been used to frame phishing emails can be classified in three types. Fig. 9 (a)-(d) presents these different ways.
The three different existing relations (See Table 2 ), show that criminals made use of the COVID-19 pandemic to persuade recipients into clicking a malicious link out of curiosity/need (Example 9 (b) and (d)) or understanding for disruptions/errors (example 9 (c)). Besides, criminals use such keywords to pass spam filters either intentionally (actively use COVID-19 related fragments of news articles etc.) or unintentionally since new articles during that time were often related to COVID-19.

Discussion of research contributions
First, we revisit the research questions, and then summarize the contributing findings and cover the limitations and implications.

Revisiting research questions
Crime changes and adapts to new circumstances such as those resulting from the COVID-19 pandemic. Different studies already have highlighted these changes in crime such as computer misuse ( Office for National Statistics UK, August, 2020 ) or fraud ( InterStats, 2020 ). This study is concerned with phishing, and the question: which effects did COVID-19 had on patterns in phishing emails? The initial expectation was that phishing would increase and the criminals would try to exploit uncertainties around the virus and introduced measures in their phishing emails. This study shows that there was a high increase of COVID-19 related phishing emails after the first restrictions had been introduced in the Netherlands. It also shows that criminals did make use of COVID-19 related content in their phishing emails.
The findings in Sections 4.2 and 4.2.1 show that in the beginning of the pandemic in the Netherlands phishing emails increased in numbers and healthcare related content such as selling masks formed prominent topics. Research from ( Aguirre and Lane, 2019 ) indicates that fraud occurs at the beginning of disasters, which may explain this high increase in the first two months.
In general, we identified three different ways COVID-19 related content has been used in phishing emails (see Section 4.5 ). First is direct use, which gives the impression of providing help such as applying for monetary help or access to goods protecting against the virus. The second way was to make use of the pandemic in a more passive way by mentioning the pandemic but the main topic is about something else. The third way of using content regarding COVID-19 in phishing emails was the use of text, e.g., parts of news articles, which was included in the HTML code of the email but not visible to the reader.
Regarding all our findings, it could be that only a very small number of criminals caused a large number of emails and thus our findings reflect the behaviour of a small number of criminals. We tried to assess this with our trend verification process but it still could be that this finding cannot be generalized. It is possible that the first three identified ways of how COVID-19 related content is embedded in phishing emails do not reflect the

Table 2
Description of relation types of COVID-19 to phishing emails.

Relationship Relationship description
Direct relation to  The email relates to COVID-19 directly as the main topic of the email ( Fig. 9 (b)). Indirect relation to  The email mentions something about COVID-19, however, the main topic is not directly related to it ( Fig. 9 (c)). Hidden relation to  The email shows no sign of a relation to COVID-19. However, the HTML code of the email contains text which is related to COVID-19 ( Fig. 9 (a), HTML content not shown).

No relation
The email shows no relation to  approach the criminals pursued. For example, it is possible that hidden content in emails is not about the Coronavirus on purpose but due to the increased number of news articles about this topic. This would still make this approach a relevant finding, however, it would be unrelated to the COVID-19 pandemic. The finding that some phishing emails contain hidden (invisible) text is a known deceptive technique used in phishing emails as mentioned by Bergholz et al. (2010b) . However, the paper showed that COVID-19 related content is also used for this approach. Findings on working days of criminals are in line with research presented by Ramzan and Wüest (2007) and Lastdrager (2018) . Section 4.2.1 revealed the finding that the volume of phishing emails followed the development of the pandemic in the Netherlands, showing a high increase after the fist measures were introduced. However, we could not find emails which directly relate to specific COVID-19 events such as introduced counter measures and restrictions. One can argue that phishing emails offering financial support such as shown in Fig. 9 (b), are related to the introduction of such relief funds and thus co-occur with COVID-19 related events. However, in this research the focus was to find out whether phishing emails referenced specific COVID-19 related restrictions, measures and developments shortly after they have been introduced or observed.
It is not possible to rule out that criminals did not reference specific events in any of their phishing emails. However, this research shows that this has not been done on a large scale. Researchers, for example Bitaab et al. (2020) , also identified phishing emails impersonating a COVID-19 relief fund. Table 1 lists identified patterns and if applicable references to researchers who identified similar patterns. The table highlights that phishing emails often contained adaptations of known patterns. For example, adding COVID-19 related text in white color (invisible) to an email is a pattern has been adapted but previously described more generally as hidden salting by Bergholz et al. (2008) . In contrast, this study identified very few novel patterns, suggesting that attackers favor adaption over innovation for the vast majority of phishing emails. The rational choice theory on crime of Cornish and Clarke (2016) can explain this behaviour as it argues that decision-making during crime scripts are majorly cost dependent. More specifically, Kirton's Adaption-Innovation Theory, supports this cost difference by showing that adaptions are generally associated with lesser resource investments, than innovation ( Kirton, 1976 ). The adversarial can alter it schemes most cost effectively, by assessing the cost-risk (i.e., low risk -low reward is preferred over high risk -high reward) ( Junger et al., 2020 ) of component alterations based on both the perspective-based view ( Hunton, 2009 ) and the processbased view ( Maymí et al., 2017 ). In the perspective-based view, the phishing scheme would be evaluated for adaption based on seven distinct components, from the globalized environment, criminal or illicit intent, to data objectives, to exploitation tactics, attack methods, networked technology, or evasion and concealment ( Hunton, 2009 ). On the other hand, the process-based views reviews using a pre-known set procedures and techniques as alternative elements to alter schemes quickly. MITRE ATT&CK, which is based on the Cyber Kill Chain, is an example of such framework ( Maymí et al., 2017 ).

Limitations
The study's limitations are as follows: Firstly, there is no comparison to data (long) before the COVID-19 pandemic or after to detect differences in trends and patterns. Furthermore, the study relied on an unsupervised classification algorithm used to classify phishing emails, but such method has its imperfections (Virustotal inaccuracy Choo et al., 2022b ). In addition, the type of emails in the dataset adds to the limitations of our study. The data does not include all emails sent to specific domains, but only those classified as spam by Tesorion and containing a COVID-19 related keyword (see Table A.3 ). As a result, we could not analyse phishing emails with characteristics and patterns that could circumvent Tesorion's spam filter (proprietary, not known to the researchers). This may have affected our observation that phishing patterns were mostly adaptations of existing ones. Furthermore, the data is limited to Dutch firms, while observing slightly other COVID-19 restrictions in other continents, this might affect the generalization to social conditions ( Ashby, 2020;Boman and Gallupe, 2020;Bullinger et al., 2020;Felson et al., 2020;Hodgkinson and Andresen, 2020;Mohler et al., 2020 ). Another limitation is that data has been restricted by English emails. Finally, there is no comparison to non-COVID-19 related phishing emails.

Implications
There are a number of implications of this study: • The general rise of phishing and COVID-19 related phishing indicates that phishing is considered a lucrative business for adversaries and requires increased attention for policy makers to counteract preventive measurements, e.g., increased resource allocation, more or adapted awareness campaigns and altering phishing scheme detection in algorithms. • The technique of topic clustering helps to detect shifts in phishing schemes operated, which is useful information for awareness campaign designers to recognize what are the topics or schemes that need to be explained to the wider public to prevent victimization. • The confirmation of misuse of the chaos induced by  for developing phishing schemes implies that we should be extra careful to expect shifts in crime, fraudulent and phishing patterns. This could lead to the thought to predict or relate to other disturbing societal changes and to prepare for such foreseen impactful changes.

Conclusion and future work
In this paper, we studied the surge and shift of phishing patterns during the COVID-19 pandemic. We observed a large increase of COVID-19 related phishing emails in the beginning of the pandemic in the Netherlands. Although we could relate COVID-19 content frequently to the schemes, we did not see a direct relation in phishing emails to specific events or measures against the spread of the virus. Additionally, we confirm existing knowledge on time patterns, such as that most phishing emails were received during working hours during the week.
The contributions of the research are in two-fold: i) methodology to identify topics in COVID-19 phishing emails, and ii) an analysis of phishing patterns, its adaptions and innovations. For the first part, we observed the following: • The LDA model worked more effective than the combination of Doc2Vec and k -means for our dataset as it allows to focus on more contextual information in comparison to the Doc2Vec model. Furthermore, it is not affected by unrealistic clustering outcomes resulting from k -means that has a characteristic of hard clustering. Further, it is important for such studies to consider various aspects of the dataset and analysis such as the number of emails, email lenght, email content, size of clusters, distance between clusters, and the choice of the model and its optimization. • The TF-IDF is effective in identifying irrelevant terms resulting in more coherent topics and a less complex model.
Regarding the analysis of phishing patterns we found that • The overwhelming presence of COVID-19 in people's lives, for example through lockdowns, contributed to an increased use of COVID-19 related content in phishing emails. • Offender schemes are modified to COVID-19 topics (e.g., face masks), but the modi operandi are adapted to its context (exaptation). • This adaptive behavior by offenders can be understood by Cornish's rational choice theory on crime and Kirton's Adaption-Innovation Theory.
This paper's findings contribute to institutes who develop awareness campaigns or phishing detection systems. Furthermore, this work can be interesting to academicians who work on phishing patterns developments and are curious to do further study on the challenges/limitations of the research as highlighted in the future work.
Future work could concentrate on our data limitations of COVID-19 related phishing emails during the pandemic, missing data before and after the pandemic as well as data on 'normal' phishing during the same time. Moreover, future work could focus on a larger scale comparative study that could reveal changes in the behavior of criminals or principles of persuasion used. Such study could include time frames before and after the pandemic as well a broader scope, such as including non COVID-19 related phishing emails and attachments, that could improve the insights on how and if criminals adapt their phishing schemes to the COVID-19 pandemic. Another aspect would be to enhance the data pre-processing and the classification methods. The pre-processing could be improved in terms of complexity and regarding the selection of words to exclude for the LDA model. The classification algorithm requires optimization to reduce false positives. To obtain insight on the notion of phishing emails it could be beneficial to perform a sentiment analysis. In addition, the analysis of phishing emails written in different languages, including Dutch, on the targeted Dutch domains could give insights on differences in the design of phishing emails in different languages.

Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Data availability
The data that has been used is confidential.

Acknowledgment
This research has received funding from the University of Twente, BMS COVID-19 Fund. We thank Tesorion Technology B.V., and in particular Dr. Wouter de Vries, for providing the phishing email data.