How Phishers Exploit the Coronavirus Pandemic: A Content Analysis of COVID-19 Themed Phishing Emails

This empirical study is an exploration of the influence methods, fear appeals, and urgency cues applied by phishers to trick or coerce users to follow instructions presented in coronavirus-themed phishing emails. To that end, a content analysis of 208 coronavirus-themed phishing emails has been conducted. We identified nine types of phishing messages crafted by phishers. Phishing emails purporting to provide information about the spread of the disease were the most common type of unsolicited emails. Authority, liking and commitment emerged as the most common influence methods. Fear appeals and urgency cues were present in almost all of the sampled phishing messages. Finally, the analysis of coronavirus-themed phishing emails revealed a shift in the modus operandi of phishers. The implications of these results are discussed in this paper.


Introduction
The recent outbreak of coronavirus, which was later declared a pandemic, offered online perpetrators new opportunities to defraud users. Covid-19-related domains experienced a dramatic increase due to people's interest in understanding the extent of the threat and searching for protection methods (Check Point, 2020a;World Health Organization [WHO], 2020). The Check Point Threat Intelligence report reveals that 3% of these domains were malicious, and 5% of them were suspicious (Check Point, 2020b). Cybersecurity reports indicate a substantial surge in malicious email activity. Google announced that its artificial intelligence-powered protection filter detected more than 18 million Covid-19 themed phishing and malware attacks in one single week in April 2020 (Cybersecurity and Infrastructure Security Agency, 2020; Lyons, 2020). These figures suggest that coronavirus has provided fraudsters with a targeted exploitation topic, which has rendered coronavirus-themed phishing a persistent threat.
As the number of Covid-19-related cyber incidents has increased, so has the amount of research examining the ways and opportunities leveraged by online perpetrators. Kashif et al. (2020) conducted an online survey to understand the extent of the cybercrime threats in Indonesia. Though the research results were descriptive, their analysis suggested a surge in cybercrime incidence. Similarly, Akdemir and Tuncer (2020) examined the Covid-19-related cybercrime risks in Turkey during the lockdown period. Their analysis suggested that the lockdown period significantly altered the frequency of online presence, which increased users' exposure to motivated offenders. Their results illustrated how users' changing online habits, such as accessing pirated media to watch movies for free, enhanced the risk of malware infection. However, the results of Hawdon et al. (2020), who also identified a surge in online presence in the U.S. population, contradict this finding. Their findings suggest that the stay-at-home orders did not change users' cyber-routines; hence, the risk of cybercrime victimization was not heightened. The discrepancies between the results of these studies may be accounted for by the types of online activities in which people engaged during the lockdown period. While the former study indicated a rise in risky online activities, the latter revealed a lack of change in online behavioral patterns. Put together, the results of these two studies seem to underscore the influence of engaging in risky online activities on the likelihood of experiencing cyber victimization (Akdemir & Yenal, 2020;Holt & Bossler, 2013;Leukfeldt, 2014).
1031879S GOXXX10.1177/21582440211031879SAGE OpenAkdemir and Yenal research-article20212021 1 Gendarmerie and Coast Guard Academy, Ankara, Turkey 2 National Defence University TMA, Ankara, Turkey The results of research by Naidoo (2020), who suggested a multi-level influence model of Covid-19 themed cybercrime, indicate that online perpetrators utilized situational factors to conduct sophisticated cyber-attacks. Naidoo (2020) has illustrated that online perpetrators also leveraged emotional and psychological factors. Likewise, stress and anxiety caused by lack of socialization during the Covid-19 pandemic were found to increase the likelihood of becoming the victim of a socially engineered online attack (Ventrella, 2020).
The aim of this research is to contribute to users' protection by exploring online perpetrators' modus operandi applied to exploit internet users' coronavirus fears through phishing emails. To that end, the content of 208 coronavirusthemed phishing emails has been examined. To the best of our knowledge, this is the first phishing study in which users' vulnerability to coronavirus-themed phishing attempts has been examined.

Literature Review
Social engineering, which aims to exploit internet users' weaknesses, plays an essential role in phishing cases (Bullée et al., 2015;Krombholz et al., 2015). Fraudsters target users through emails, including highly sophisticated and challenging social engineering tactics, to solicit financial or personal information (Butavicius et al., 2016;Clark, 2017). Phishing emails are also utilized to lure users into opening attachments or clicking links containing malicious content, thereby facilitating the installation of malware such as ransomware on the target systems or devices (Gomes et al., 2020). Social engineering is initially conceptualized as employing socially tailored tricks to gain sensitive data such as passwords or usernames to access computer systems (Abraham & Chengalur-Smith, 2010). However, the scope of social engineering has been extended to cover the personal and financial information of internet users (Newman & Clarke, 2013). "Alternative routes to persuasion, attitudes and beliefs that affect human interactions and techniques for persuasion and influence" are three socio-psychological components of social engineering while exploiting human vulnerabilities (Peltier, 2006, p. 3).
The aim of social engineering in a phishing context is to manipulate users into divulging personal or financial information (Mishra et al., 2012;Nirmal et al., 2010). To that end, fraudsters exploit internet users' social, psychological and cognitive vulnerabilities. It is proposed that human reasoning is based on two types of decision-making processes: heuristic and systematic. While the heuristic decision-making process produces quick and spurious decisions, the systematic process yields more carefully evaluated conclusions (Maheswaran & Chaiken, 1991;Schwarz, 2000). Phishing susceptibility research suggests that online perpetrators employ influence methods (Oliveira et al., 2017;Silic & Back, 2016;E. J. Williams et al., 2017;Wright et al., 2014), fear appeals (Jansen, 2015;Jansen & Leukfeldt, 2016;Liang & Xue, 2010;Witte, 1992), time pressure (Kahneman, 2011;Saqib & Chan, 2015;W. Zhang et al., 2012) and urgency cues (Alsharnouby et al., 2015;Harrison et al., 2016;Wang et al., 2012) to coerce users to make spurious decisions based on heuristic reasoning. Peltier (2006) argued that persuasion and influence techniques are among the three critical social psychological components of social engineering. Phishing studies have applied Cialdini's (Cialdini, 2009) influence methods to explore the factors that render email users vulnerable to phishing attempts. Cialdini (2009) proposed six influence methods, namely authority, scarcity, liking, social proof, consistency/ commitment, and reciprocity. Whereas authority denotes compliance with requests purporting to be from authority figures, scarcity refers to the limited availability of opportunities (Cialdini, 2001). The liking construct assumes that individuals are more likely to obey requests or instructions coming from persons they like. Social proof exploits people's tendency to make social comparisons with similar others (Cialdini et al., 1999). The consistency/commitment principle suggests that people are inclined to behave in line with their previous actions and obligations (Cialdini & Goldstein, 2004). Finally, reciprocity is the tendency to return a favor. It is based on the assumption that people feel obligated to repay those who have helped them in the past (Cialdini & Goldstein, 2004) Empirical results yielded inconsistent results with regards to the relative impact of Cialdini's (2009) influence methods on email users' decision-making. Wright et al. (2014) found that four influence methods, liking, social proof, reciprocity and scarcity, increased the odds of people responding to phishing emails. Silic and Back (2016), however, suggested that liking is the most potent influence method used to obtain information from employees through social network sites. Research conducted by E. J. Williams et al. (2017) demonstrated that it is the combined effect of different influence techniques and personal or social circumstances that increase the susceptibility of internet users to phishing attacks.
Regarding demographic differences, Oliveira et al. (2017) investigated the effect of influence techniques across the demographic characteristics of email users. They found that different age groups display various vulnerabilities to influence tools. The reciprocation technique was found to be more effective in coercing older internet users into divulging personal information. On the other hand, scarcity, denoting the limited availability of something valuable, emerged as the most effective way to increase the likelihood of young internet users responding to phishing emails. Authority appeared to increase susceptibility to victimization for all age groups.
Fear appeals are considered to be effective deception methods to coerce individuals to comply with given messages (Chen, 2017;Jansen & van Schaik, 2018;Witte 1992, p. 329) defined fear appeals as "persuasive messages designed to scare people by describing the terrible things that will happen to them if they do not do what the message recommends." In other words, fear appeals are persuasive messages prompting both a fear-provoking menace and a suggestion to thwart a depicted threat (K. C. Williams, 2012). Fear appeals have two dimensions: phrases introducing an imminent threat, and expressions suggesting a recommendation to cope with a threat (Vance et al., 2013). The former encompasses fear-arousing statements together with bogus or fabricated scenarios used to increase internet users' perceived susceptibility to the presented threat. The latter directs email users to bogus websites where personal credentials can be provided.
The results of the empirical studies indicate that account closure, account update, unauthorized access to an account, and unusual account activities are the most frequently used fear appeals (Harrison et al., 2016;Moore & Clayton, 2012;Vishwanath et al., 2011). The existing research suggested a correlation between fear appeals and getting phished (Jansen & van Schaik, 2018;Sharma, 2010;Workman, 2008). For example, Goel et al. (2017) found that internet users were more likely to respond to emails related to protecting assets. Disproportionate attention to fear appeals was also found to enhance the likelihood of responding to phishing emails. Empirical evidence suggested that internet users who paid too much attention to fear appeals failed to conduct a sound evaluation of the fabricated scenarios Vishwanath et al., 2011).
Source credibility appeared to be another factor that enhanced the believability of emails. Bowen et al. (2011) argued that believability is a crucial factor in overcoming users' defensive reactions. Empirical evidence suggests that the inclusion of reputable or trusted brands' names into email messages increased email users' susceptibility to divulging personal information (Schuetz et al., 2016;Silic & Back, 2016). Urgency cues were also found to coerce internet users into making spurious decisions. Urgency cues are used to divert internet users' attention from phishing detection cues such as security indicators, and force internet users to make hasty decisions (Wang et al., 2012). Urgency cues such as "update, access, protect, cancel and confirm" were found to enhance the likelihood of people responding to phishing emails (Park & Taylor, 2015;Vishwanath et al., 2011).
Time pressure conveyed in unsolicited email messages was another factor found to impair users' decisions. Time pressure messages such as "immediately, urgent, within one hour" increase the propensity for people to take risks (Hu et al., 2015;Young et al., 2012). Research has indicated that recipients who were exposed to email messages leveraging time pressure were more likely to respond to phishing emails (Luo et al., 2013;W. Zhang et al., 2012). However, Wang et al. (2012) found that computer literate email users were more successful in thwarting phishing attempts. Similarly, D. Kim and Hyun Kim (2013), who studied the impact of persuasive messages in phishing emails, found no significant relationship between time pressure and the likelihood of someone responding to a phishing email.

Data Collection
This first stage of data preparation was gathering images of Covid-19 themed phishing emails. We collected the data between April 1, and April 16, to capture the nature of the lockdown era. The lockdown period was characterized by a lack of information and ambiguity about this new contagious disease. Individuals who were ordered to stay at home were curious and eager to learn about the contemporary situation of virus spread. Thus, opportunistic perpetrators seemed to apply social engineering strategies to exploit peoples' willingness to acquire information. We searched the terms "COVID-19," 'Coronavirus "COVID" and "novel coronavirus" in conjunction with the phrase "phishing email" to access coronavirus-themed phishing email messages. We searched these terms via three popular search engines: Google, Bing, and Yandex. The image search sections of these search engines were used to access the actual images of phishing emails. This informed decision was made to eliminate the researcher bias caused by journal news related to phishing cases. The real pictures of these phishing emails were mostly collected from official websites such as Action Fraud, FBI, or web pages of universities' or companies' IT departments, where internet users were warned about phishing messages. During this period, we collected 2,372 images of phishing emails sent during the lockdown period of the Covid-19 pandemic. Figure 1 illustrates two samples of phishing emails collected from the internet. We also enlisted the help of the newsletters of the WHO (WHO) and Action Fraud to receive phishing email samples.
In the second stage, we aimed to eliminate phishing emails with repeated or irrelevant content. This elimination phase lasted about a week, as the two authors separately conducted a careful reading procedure to prevent loss of data. After three rounds of reading, we had obtained 208 phishing emails with unique content. The emails we received from the mailing lists did not yield sufficient information to be analyzed. Since the data were comprised of images of phishing emails, these emails were transcribed verbatim onto a word processor. This process enabled us to immerse ourselves in the data and acquire first impressions of these phishing messages. As will be detailed in the next section, we initially read the whole email and highlighted various relevant content. During this period, we realized that whereas some emails were information-rich, others were not at all. Though all of the emails were included in the analysis, we mostly utilized these 40 information-rich emails to discern social engineering messages. The whole data, comprising 208 phishing emails, were also analyzed to create a taxonomy of phishing emails. The decrease in sample size suggests that phishers used different emails and IP addresses to evade security walls; hence, duplicated versions of the same material were used to conduct Covid-19 themed phishing emails. This shrinkage also implies that a small number of motivated offenders would account for a significant proportion of phishing attacks. The Pareto Principle, known as the 80-20 rule, proposes that roughly 80% of wealth is controlled by 20% of the population (Dunford et al., 2014;Grosfeld-Nir et al., 2007). Traditional crime studies have also illustrated that a small number of offenders are responsible for most of the crimes committed in a specific area (Braga, 2008;Brunson, 2015). The policy implications of this issue will be elaborated in the Conclusion section.

Analytic Strategy
In this study, the qualitative content analysis (QCA) method has been applied to explore the social engineering methods utilized to coerce users to click on the links provided in phishing emails. QCA is an analytic process whereby textual or visual data is described and interpreted through the systematic and objective classification of textual information into categories, patterns, and themes (Sandelowski, 1993;Y. Zhang & Wildemuth, 2009). QCA aims to provide a descriptive account of textual data (Vaismoradi et al., 2013). QCA can be either inductive or deductive, or a combination of both. The aim of the study informs the researcher's choice of the study and the availability of a priori knowledge or theory (Graneheim et al., 2017).
QCA is a flexible approach while discerning trends and patterns in textual data, which renders it a popular analysis tool (Stemler, 2000). However, the lack of standard procedures to be applied throughout the analysis process raises concerns over reliability or trustworthiness (Creswell & Miller, 2000). Delineation of the analysis phases is suggested as the most proper solution to any trustworthiness issues (Elo et al., 2014). Several scholars (Assarroudi et al., 2018;Elo & Kyngäs, 2008;Hsieh & Shannon, 2005;Mayring, 2015;Y. Zhang & Wildemuth, 2009) have proposed standard procedures to be applied to enhance the trustworthiness of the analysis process (please see Assarroudi et al. (2018) for a detailed discussion of these procedures]. A review of the literature suggested that although different authors divided the content analysis process into varying stages, these stages can be summarized into three concurrent phases: preparation, organization (data reduction), and reporting (Elo & Kyngäs, 2008;Miles & Huberman, 1994). Since the preparation phase of the process was described above in the data collection section, a description of the analysis process will continue with the organization (data reduction) phase of the analysis.
Data reduction is the phase wherein the data is reduced to its basic content to have a condensed material. The data condensation procedure is a continuous and iterative process, including written summaries and coding (Berg et al., 2004;Braun & Clarke, 2006). Regarding the coding process, two approaches, emergent (inductive) and a priori (deductive) coding, are identified in the literature (Graneheim et al., 2017;Stemler, 2000). Whereas a priori coding relies on the categories derived from the theory or previous research, emergent coding is based on the researcher's interpretations or abstractions of the data (Krippendorff, 2004;Schreier, 2012). Based on the a priori knowledge on Cialdini's (2009) six influence methods and the results of the previous research (fear appeals, urgency cues, and source credibility), for this study the deductive approach, also known as directed content analysis, was applied (Hsieh & Shannon, 2005;Moretti et al., 2011). The goal of the directed content analysis was to explore the factors phishers utilize to convince email users to follow the instructions presented in unsolicited emails. An inductive approach was also employed to create a taxonomy of phishing emails. We followed the six stages proposed by Assarroudi et al. (2018) at the organization phase of the analysis.
For the first part of the analysis, the aim was to distinguish the social engineering methods that were adopted to render internet users susceptible to phishing attacks. A theoretically informed structured deductive approach was employed to attain this goal. Elo and Kyngäs (2008) suggested the use of a structured method, based on the categorization matrix, which illustrates the coding rules. This matrix is also called a codebook (I. Kim & Kuljis, 2010), coding scheme (Thayer et al., 2007), or content categories (Harwood & Garry, 2003). This enables researchers to present a conceptually driven understanding of the data (O'Connor & Joffe, 2020). The matrix should also contain categories and subcategories derived from the theory or literature (Stemler, 2000). Based on these considerations, our categorization matrix comprised three components: category name, definition/explanation, and text examples. We also created two main categories (Cialdini's influence methods and research findings), which are derived from previous phishing studies. The first category contained six sub categories (authority, liking, social proof, consistency/commitment, scarcity, and reciprocity), and the latter was comprised of three sub categories (fear appeals, urgency cues, and source credibility) (Table 1).
Providing definitions of categories/sub categories and textual data examples can contribute to maintaining trustworthiness (Schreier, 2012). To ensure trustworthiness, we clearly stated the definitions/explanations of the main and sub categories and provided textual examples at the second stage. Based on the literature review, we defined or explained each category. For example, authority is defined as "individuals' inborn inclination to comply with orders or suggestions in the presence of the figures of authority" (Cialdini, 2009, p. 180), while fear appeals are explained as "online communications informing receivers about an imminent threat or a significant problem besides providing a solution to overcome the mentioned problem" (Witte, 1992). Later, we included examples for each sub category. These "anchor samples" (Assarroudi et al., 2018, p. 50), which act as the identifier for the categories, were obtained from previous phishing susceptibility studies. For example, the anchor sample for the urgency cues category was as follows: "you need to update your account before the link expires, after 24 hours" (Park & Taylor, 2015, p. 3) ( Table 1).
The second part of the analysis was conducted to create a taxonomy of phishing emails. This process required an examination of textual data and deriving categories from the codes. This part of the analysis, based on the conventional content analysis approach, was more flexible than the first phase. Conventional content analysis (Hsieh & Shannon, 2005), or inductive content analysis (Elo & Kyngäs, 2008), is mostly applied when there are no pre-defined categories (Krippendorff, 2004). The analysis starts with discerning lower-level units, namely codes, and goes on to the creation of categories/sub categories and themes (Patton, 2002). Conventional content analysis may examine latent (having implied meaning) or manifest (available on the textual or visual data) content (Berg et al., 2004;Kondracki et al., 2002). Since the aim of the analysis was to create a taxonomy of phishing attacks, keywords such as "refund," "information" or "guideline" were used as reference terms to develop codes.
We created two projects using NVivo QSR qualitative analysis software so that each researcher could conduct the analysis independently. Hsieh and Shannon (2005) recommended a two-step coding procedure. At first, the researcher reads the textual data and highlights various parts based on the first impression guided by prior knowledge (theory and/or results of previous research). Later, per the categorization matrix, any highlighted material would be coded. Following this advice, we initially read the textual material via a word processor and highlighted any phrases carrying social engineering and influence messages. We uploaded the files to the NVivo project after highlighting all of the relevant materials.
We individually conducted two rounds of coding at a 1-week interval, since Elo et al. (2014) recommended two rounds of independent coding as an efficient method to enhance trustworthiness, and thereby maintain intra-coder reliability. Promoting coder reflexivity is another benefit of this iterative process.
Following the initial coding process, we worked together to review the codes, discuss the rationale for assigning each text to specific categories/sub categories, and settle fundamental coding disagreements as advised by Thomas and Harden (2008), to ensure intercoder agreement. O'Connor and Joffe (2020) provided a distinction between intercoder reliability and intercoder consistency. Whereas the former relies on a numerical assessment of consensus on the coding of the textual data, the latter involves discussion of discrepancies and accordance. We preferred discussion of the inconsistencies to understand any differences in individual interpretations (DeCuir-Gunby et al., 2011). Due to the Covid-19 pandemic restrictions, these meetings were held online via a video communication platform. In-depth discussion over the coding discrepancies allowed us to reach a consensus about the textual data assigned to sub categories. The "A review of our records shows permanent error with your XX account. To prevent closure of your account please log in here to your account to resolve the problem." (Harrison et al., 2016). Urgency cues Messages indicating scarcity, time limitation or a warning aim to coerce receivers to focus on the urgency conveying messages to elicit their compliance.
"You need to update your account before the link expires, after 24 hours." (Park & Taylor, 2015) "Please update your records on or before July." (Park & Taylor, 2015) Source credibility Names of big brands appeared to be another factor that enhanced the believability of emails.
"Using logos and names of reputable businesses."(W.

Zhang et al., 2012) Cialdini's influence methods
Authority Individuals' inborn inclination to comply with orders or suggestions in the presence of the figures of authority are present. "Click here"; "confirm your account details"  Liking People prefer to say yes to those they like. "We realize that this precaution may cause you some inconvenience." (Wright et al., 2014).

Social proof
People tend to behave as their friends and peers have behaved.
"We'd really like to keep you happy by continuing to help" (Oliveira et al., 2017) Consistency/ commitment Individuals are driven to be consistent not only with their trait self-attributions, but with their previous behaviors and commitments as well.
"As you have done before, please update your password using the following link."(Wright et al.,

2014) Scarcity
People respond to perceived shortages by placing greater psychological value on perceived scarce items.
"You can save 20% on your next electric bill by filling out our online survey within the next three days." (Oliveira et al., 2017).

Reciprocity
The tendency to return a favor. "If you respond you will have a chance to upgrade to our new version" (Baryshevtsev & McGlynn, 2020) categorization matrix and visual representation of the categories/sub categories were utilized during this discussion. After agreeing on the assignment of textual context to the sub categories, we utilized tables to display the research findings. Huberman et al. (2014, p. 7) defined display as "an organized, compressed assembly of information that allows conclusion drawing and action." Since reading and evaluating extended texts can be a cumbersome process due to cognitive overload, extended texts, tables, graphs and diagrams as well as direct quotes can be utilized to present research findings (Onwuegbuzie & Dickinson, 2008). To that end, we illustrated the research findings in three tables.

Taxonomy of Phishing Attacks
Content analysis of the phishing emails revealed nine variations of phishing email themes which targeted individuals, businesses and organizations. Examples of the identified topics are presented in Table 2. The first category of phishing emails, which involve pretending to offer solutions to prevent the spread of the coronavirus outbreak, is comprised of email messages impersonating health organizations and governmental agencies. We identified 23 different email messages crafted to coerce users to download the attachments provided in emails. These emails ask users to view or download attached documents to review safety measures in place to prevent the spread of the disease (Table 2). Offering financial benefits is the second most common theme which emerged (n = 5). Phishing emails that fall into this category are designed to trick users into disclosing their personal identifying information. As in the case of the Her Majesty's Revenue & Customs (HMRC) tax refund scheme, targets are lured to click on the link and provide their credentials. This attack is an example of a conventional phishing technique, which requires the target to type in their details. Asking for a donation is another theme designed to exploit individuals' desire to help organizations which are combatting coronavirus (n = 3). The threat of unauthorized payment (n = 2), offering a cure (n = 2), offering a service such as a banking application (n = 2), mandatory education programs (n = 1), the threat of account closure (n = 1), and asking for a favor are among the other themes that have fewer variants.

Social Engineering Methods Employed
The second part of the analysis dealt with discerning the frequency of social engineering methods applied to leverage individuals' curiosity, fear and concerns. Since some emails contained more than one social engineering technique, the number of influence methods exceeds the total number of emails examined. Table 3 illustrates the samples of influence methods identified. Cialdini proposed six influence methods, namely authority, liking, social proof, consistency/commitment, scarcity, and reciprocity. Content analysis of the phishing emails revealed that authority was the most used influence method (n = 23). While commitment appeared 13 times in phishing emails, liking was present in seven email messages. We did not identify scarcity, reciprocity or social proof influence methods in any of the email messages.
Previous phishing susceptibility research identified fear appeals, urgency cues, and credibility cues as factors that perpetrators used to manipulate the decision-making systems of users (Vishwanath et al., 2011;Wang et al., 2012;Wright et al., 2014). Informed by these studies, we included these cues in our analysis. Content analysis suggested that fear appeals were extensively utilized to coerce users to follow the instructions presented in phishing emails (n = 16). Urgency cues were used in twelve phishing emails. Finally, the logos of health organizations, government agencies and companies were present in almost every phishing email, used as a credibility cue.

The Relationship Between the Type of Attack and Social Engineering Methods
We cross-tabulated social engineering methods and the types of phishing emails identified to examine the distribution of 72 codes across the email messages. As Table 4 illustrates, the authority influence method was mostly used in email messages asking users to download attached documents purporting to provide information about coronavirus (79.94%, n = 19). However, authority cues were only employed in four types of messages. The commitment and liking influence methods were mostly applied to emails providing information and asking for a donation. Fear appeal messages were We realize that the spread of the COVID-19 coronavirus may leave you feeling concerned, so we want to take a moment to reassure you that your safety and well-being remains our absolute top priority.

13
Liking We personally thank you for your understanding and assure you that we will do our almost to limit disruptions this event brings to your travel plans while keeping your well-being our top priority 7 Fear Appeals At this time, three new cases have been confirmed around your location today. The risk to the Public in your city and throughout the World is very HIGH . . . A high risk person is currently being monitored around your city center.

16
Urgency Cues Please urgently contact Mr xxxx (xxx BANK SECRETARY) to direct you to The CHIEF FINANCIAL OFFICER (Mr.xxx) who is in charge of paying you for your funds (1.700.000 EUROS) which is to be paid by xxx BANK PLC for family health-care and sanitisat on urgently!! 48 hours after mail received!!! 12 a Frequency of appearance of the social engineering methods. primarily included in emails containing information (52.37%, n = 10). Fear appeals were included in six out of nine types of phishing messages. Urgency cues were mostly present in phishing messages offering financial benefits (30.4%, n = 3). Urgency cues were present almost all of the sampled phishing messages (77.7%, n = 7).

Frequently Used Words
Finally, we explored the most frequently used words in the coronavirus-themed phishing emails. We excluded certain words, such as "coronavirus" or "click," to obtain a refined result. Health (n = 60), disease (n = 20), control (n = 19), attached (n = 15), and prevention (n = 15) emerged as the five most commonly used words in these messages. The implications of this result will be evaluated in the Discussion section.

Discussion
Phishers always take advantage of events that have attracted public attention, and the coronavirus pandemic has provided online perpetrators with an opportunity to defraud internet users (Dewan, 2020). Cybersecurity firms (i.e., Norton and Symantec) have highlighted a significant surge in coronavirus-themed phishing attempts. The news media and the reports of security companies have suggested that coronavirus related cyberattacks have become a persistent threat. The aim of this study is to contribute to crime prevention efforts by exploring the social engineering methods employed in coronavirusthemed phishing emails. To that end, we conducted a content analysis of 40 phishing emails with different contents. We identified nine types of coronavirus-themed phishing emails. The analysis revealed that phishers have designed 23 different email contents purporting to provide information about the recent situation of the spread of coronavirus or ways to evade coronavirus infection. Variants of the email messages asked users to download attached documents. This technique suggests a shift in the modus operandi of phishers, since conventional phishing emails ask users to click on links to provide personal or financial information. This change in phishing attempts may be attributed to several social and technological factors. Cyber security studies suggest that cyber security awareness, which can be promoted by training and educational programs, is the key initiative for reducing user susceptibility to socially engineered attacks (Aldawood & Skinner, 2018;Korpela, 2015). Given that schools, governments, private sector and non-governmental organizations are increasingly launching new initiatives to raise cyber awareness, it seems reasonable to believe that individuals are now more cyber-aware when compared to the past. Hence, it is hard to convince individuals to type in their credentials using conventional phishing methods. In addition, the proliferation of digitalized technology, which has increased the dependency on digital systems, has rendered them as valuable assets, and the retrieval of data or systems is something for which users have to pay. This issue seems to motivate offenders to devise more sophisticated attacks (i.e., promising ransomware attacks) to achieve their goals.
Agent Tesla Keylogger is the most recent example of these kinds of sophisticated cyber-attacks (Baker, 2020;Riley, 2019). This malware is capable of harvesting user information from different platforms such as emails or social media (e.g., Twitter, Facebook, Instagram) (Ruiz, 2020). A phishing email that says, "You can now download and Access the attached My Health Zip file from a Windows Computer only," supports our proposition, since Agent Tesla Keylogger operates only on Windows-based operating systems ("Review-Navigating Cybersecurity During a Pandemic," 2020). It is evident that phishers are now conducting joint attacks designed to compromise individuals' and businesses' online accounts rather than coercing users to provide their credentials. Hence, users should be informed about this new threat that preys on the inadvertent downloading of coronavirus-related documents.
Content analysis of the coronavirus-themed phishing emails suggested that authority, commitment, liking, fear appeals, and urgency cues were the most frequently employed influence methods. This result is in line with previous research indicating that Cialdini's influence methods, (Silic & Back, 2016;E. J. Williams et al., 2017;Wright et al., 2014), fear appeals (Jansen, 2015;Jansen & Leukfeldt, 2016;Liang & Xue, 2010;Witte, 1992) and urgency cues (Alsharnouby et al., 2015;Harrison et al., 2016;Wang et al., 2012) were used to trick users into yielding their personal identifying information. Fear appeals and urgency cues were present in almost all of the coronavirus-themed phishing emails. In addition, authority was mostly employed in emails pretending to offer information about the disease. These results suggest that authority, fear and urgency are the three essential constructs that phishers utilize to coerce the user to make hasty decisions based on their heuristic decision-making processes.
Regarding the composition of messages, phishing emails designed to provide information about the coronavirus allegedly included all of the influence methods that are mostly used in phishing messages. While emails pretending to offer a service used commitment and liking to influence users, those which aimed to present a threat of unauthorized payment or shipment included only fear appeals and urgency cues. It appears that phishers craft their messages very carefully and employ the most appropriate influence methods in their phishing messages.
We analyzed the most frequently used words in the coronavirus-themed phishing emails. "Health," 'disease "control," 'attached' and "prevention" appeared to be the most commonly used words. This result indicates that the phishers designed the structure of these messages to illicit the users' concerns related to preventing disease or curiosity about the latest information. Social engineering methods such as influence techniques or fear appeals are disguised in these messages which seemingly provide background information about the attached files.

Conclusion
The lockdown period, characterized by the mass quarantine of individuals, unprecedently changed the way we socialize and work. People were ordered to remain at home and work remotely. This new normal way of living, socializing and working had some unavoidable adverse consequences. The social, economic and psychological repercussions of the lockdown period on individuals and organizations are welldocumented (Rahman et al., 2020;Sumner et al., 2020;Vahia et al., 2020;Xiong et al., 2020). An increased cybercrime victimization risk emerged as another ramification of the lockdown era which followed the declaration of the Covid-19 pandemic. A massive surge in Covid-19 related domain names suggested that online perpetrators were quick to impersonate health institutions, governments, and organizations to exploit health-related vulnerabilities. The aim of this study has been to discern the social engineering methods employed in Covid-19 themed phishing emails during the lockdown period. Creating a taxonomy of Covid-19 themed phishing emails was another goal of this research. To these ends, content analysis of 208 phishing emails collected between 1 st April and 16 th April 2020 was conducted.

Key Findings
Content analysis of the Covid-19 themed emails yielded significant results. Distinguishing the shift in the modus operandi of phishers is one of the novel contributions of this study. Phishers have mostly employed social engineering methods to coerce individuals to provide their financial details via links presented in email messages. However, as individuals are more computer savvy nowadays, this technique has become less effective. Although phishing emails are also used to infect target computers via website links, our analysis results illustrated that a majority of the Covid-19 themed emails analyzed were asking users to download attached documents which included malicious content. Attached documents that allegedly contained information related to the Covid-19 pandemic were used to conduct more sophisticated attacks such as ransomware. This result suggests that socially engineered phishing attacks coupled with code-based threats (i.e., ransomware) will become more common.
Presenting a taxonomy of the Covid-19 themed emails was another contribution of this study. We identified nine variations of phishing emails targeting individuals, businesses and organizations. The most frequently employed type of phishing emails were those allegedly offering solutions to prevent the spread of the coronavirus outbreak. This finding illustrates that phishers who were rational actors were quick to take advantage of the fear and anxiety of individuals in the wake of the spread of the virus.
Regarding the influence methods applied in the Covid-19 themed phishing emails, of the six influence methods proposed by Cialdini, authority emerged as the most frequently used. It is argued that people learn to obey authority at an early age, which promotes the pre-disposition to trust or obey authority figures (Bouchard, 2009). Authority's perceived expertise, individuals' felt obligation to obey, and authority's presumed coercive power, were suggested as factors promoting obedience to authority (Lutsky, 1995). It seems that phishers exploit users' inclination to obey figures of expertise through emails pretending to provide information about the Covid-19 pandemic to gain compliance.

Policy Implications
The data collection phase of the study suggested that although there were 2,372 emails sent from different accounts, 208 emails remained after removing the duplicated content. This shrinkage implies that a small proportion of online offenders account for the majority of the phishing attempts. Focused deterrence policing strategies are designed to decrease the offending behavior for a particular crime type through targeting specific offenders (Tillyer et al., 2012). Focused deterrence policing strategies applied to dealing with core criminals have yielded successful results in terms of preventing traditional crimes such as homicide or gang violence (Braga et al., 2019;Braga & Weisburd, 2012). This strategy requires the co-operation of several actors, such as law enforcement or social services, to deter offending behavior (Tillyer & Kennedy, 2008). Most cybercriminals think that their actions are undetected; hence they continue engaging with illegal and illicit online activities. We believe that focused deterrence strategies entailing direct communications with potential offenders to inform them that their actions have received legal attention (Brunson, 2015) will have some success in reducing phishing intention. Phishers who are aware that increased law enforcement attention has been placed on them may choose to receive guidance to find a legal means of earning a living, or may decide to stop offending behavior.
Content analysis of the Covid-19 themed phishing emails suggested that emails purporting to provide coronavirus information were the most common type of phishing attempt. This result illustrates the desire to acquire information, as social engineers exploit vulnerabilities in the targeted population. Human error is generally conceived as the weakest link in cybersecurity (Akdemir & Lawless, 2020;Clark, 2017;Heartfield et al., 2016). Training and education programs related to cyber threats have been found to be effective in decreasing user susceptibility and increase cyber awareness (McCrohan et al., 2010;Zwilling et al., 2020). In this regard, providing timely and accurate information about the threat could soothe the public desire to acquire knowledge. In addition, publicly available programs via social media or TV could also help to promote cybersecurity awareness.

Limitation and Research Implications
Though this research has yielded some impressive results, still it has some limitations that need to be addressed. The focus of this research has been on the content of the phishing emails; hence, the success rates of these phishing emails remained unexplored. Future research may involve applying experimental designs to understand the relative significance of Cialdini's influence techniques and fear appeals on individuals' decisions to reply or follow the instructions presented in Covid-19 themed emails. Future researchers may also examine whether individual differences, such as personality traits, affected users' susceptibility to Covid-19 related emails. The small sample size was another limitation of this study. The central aim of this study was to understand the social engineering methods applied in phishing emails during the lockdown period. Since the website search captured phishing emails sent before April 1, it reflected the characteristics of a particular era, namely the lockdown period. Future researchers may obtain more samples of Covid-19 themed phishing emails; thus, new insights may be gained.

Declaration of Conflicting Interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article.