Email Security Blog

COVID-19: Mid-Level Managers Are Easy Targets for Phishing Scams During the Pandemic

The health risks of COVID-19 are well known, and you’ve undoubtedly made a lot of changes to keep your employees safe. But, as many organizations have learned, the pandemic isn’t just putting people’s health at risk. It’s also exposing you to new kinds of cyber fraud and cybersecurity threats. 

Unfortunately, cybercriminals are using this crisis to their advantage. So much so, that the FBI has put out repeated warnings and launched an entire webpage dedicated to sharing information about COVID-19-related cyberthreats.1 Many of these threats have one thing in common: They are phishing scams that target mid-level managers. 

Mid-level managers make enticing targets because they often have access to sensitive data and responsibility over invoice approvals. With a little research, a cybercriminal can uncover what accounts a mid-level manager oversees and then pose as a vendor requesting a change in payment. This can be particularly effective during COVID-19. The scam is one form of business email compromise (BEC) and here is how it might play out: 

  1. A cybercriminal uses LinkedIn and other publicly available information to learn the name of a company’s mid-level managers, as well as their supervisors.   
  2. The cybercriminal then sends spoof email that appears to be from a vendor claiming that, due to pandemic-related procedural changes, they are now using a different bank account.  
  3. They mention the mid-level manager’s superior by name, claiming he or she specifically directed them to the mid-level manager in order to have the request processed.  Using company namedropping is a strategic move hackers make to trick the manager into believing a request is legitimate. 
  4. The manager changes the vendor’s bank account information and for months to come, fake invoices are paid with the dollars going straight to the cybercriminal’s bank account.  

cybercriminal who gains access to your business’s hierarchy can also use it to impersonate VPs or even your CEO. Mid-level managers tend to spring to action whenever they’re contacted by a higher-up. A cybercriminal engaged in CEO impersonation can use a phishing email to trick a mid-level manager into disclosing sensitive client or company data or granting access to your business’s computer system. Recently, the FBI investigated a COVID-19-related case of CEO fraud in which the hacker, posing as a CEO, requested a money transfer date to be move up due to precautions surrounding COVID-19 and the quarantine process. In the end, the hoax cost one financial institution a million dollars.2  

CEO fraud is just one kind of costly cyberthreat. In 2019, the FBI’s Internet Crime Complaint Center (IC3) recorded $3.5 billion in U.S. internet crime losses, with the most frequent scams involving phishing and similar schemes. In fact, business email compromise (BEC) scams cost $1.7 billion alone.3 

If you and your mid-level managers aren’t prepared, cybercriminals exploiting COVID-19 can make an already difficult year a lot worse. In addition to spoof emails from vendors and CEO impersonationcybercriminals might also target your mid-level managers with: 

PPE scams

 If you have employees working in your office or facility, you may want to provide — or be required to provide — personal protective equipment like masks, gloves, gowns and face guards. But the mid-level manager you put in charge of this needs to be careful. The FBI has identified numerous phishing scams related to the procurement of PPE with fraudsters posing as or spoofing legitimate businesses. 

Government benefit scams

If your organization is entitled to COVID-19-related assistance, either now or in the months to come, you could become a target. The Payment Protection Program (PPP) led to so much fraud that the FBI had to form a PPP Fraud Working Group.5 Specific schemes have included spoof emails impersonating government agencies claiming to need access to accounts as well as phishing emails that trick mid-level managers into providing information — like employer identification numbers — that’s then used to fraudulently apply for benefits in your organization’s name. 

Health scams

 You’re worried about your employees’ health — and scammers are hoping the worry has caused your mid-level managers to let their guard down. The FTC warns that fraudsters are claiming to be from the CDC and other public health offices and are tricking organizations into divulging sensitive data or opening attachments that install malware.5 Cybercriminals might also spoof emails from your insurance providers, claiming they need personal information on employees to “better protect their health.” 


Clearly, the pandemic is making it easier for cybercriminals to target mid-level managers. And that’s making email security more important than ever. However, even the best managers can’t be expected to catch every phishing attempt, particularly with how often managers are targeted and how sophisticated phishing scams have become. That’s why many organizations are turning to email security services like INKY. 

INKY is a true game-changer for email security. Utilizing computer visionartificial intelligence and machine learning, INKY is relentlessly effective, seeing the things that others cannot and protecting you from the full range of phishing threats including business email compromiseCEO fraudbrand spoofingspear phishing and more. 

Despite its complexity and power, INKY is incredibly easy to use. INKY offers gentle — but persistent — guidance through message banners on every email that empower you, your mid-level managers and the rest of your organization to help keep phishing at bay. And INKY’s ability to be present on mobile devices helps keep your organization protected wherever you or anyone else happens to be working. 

Reduce your worries during the pandemic and beyond with INKY. Try your personalized demo now. 

This blog was updated on August 26, 2021, and can be found here.


INKY® is the emerging hero in the war against phishing. An award-winning cloud-based email security solution, INKY® prevents the most complex phishing threats from disrupting or even immobilizing your company’s day-to-day business operations. Using computer vision, artificial intelligence, and machine learning, INKY® is the smartest investment you can make in the security of your organization. INKY® is a proud winner of the NYCx Cybersecurity Moonshot Challenge and finalist in the 2020 RSAC Innovation Sandbox Competition. Learn more about INKY® or request an online demonstration today.