Phishing campaigns that use the COVID-19 vaccination as bait are becoming more popular in recent months. In the same way that a year ago threat actors capitalized on the start of the global pandemic with coronavirus-related phishing attacks, cybercriminals are now trying to leverage the vaccine to steal money, credentials, and personal information. The FBI issued a warning in December about emerging fraud schemes related to COVID-19 vaccines.
Researchers at our email security vendor, Barracuda, conducted an analysis of emails between October 2020 and January 2021, and found that hackers are increasingly using vaccine-related emails in their targeted spear-phishing attacks. After pharmaceutical companies like Pfizer and Moderna announced the availability of vaccines in November 2020, the number of vaccine-related spear-phishing attacks increased by 12%. By the end of January, the average number of vaccine-related spear-phishing attacks was up 26% since October.
The primary weapon of choice for attackers is Spear-Phishing Emails, capitalizing on fear and uncertainty, the attacks using urgency, social engineering, and other common tactics to lure victims. Two predominant types of spear-phishing attacks using vaccine-related themes have been identified: brand impersonation and business email compromise.
Vaccine-related phishing emails impersonated a well-known brand or organization and included a link to a phishing website advertising early access to vaccines, offering vaccinations in exchange for a payment, or even impersonating health care professionals requesting personal information to check eligibility for a vaccine.
Business Email Compromise
Business Email Compromise, or BEC, is a common attack technique. In this method, attackers impersonate individuals within an organization. Recently, these highly-targeted attacks turned to vaccine-related topics. Examples include impersonating employees needing an urgent favor while they are getting a vaccine or an HR specialist advising that the organization has secured vaccines for their employees.
Protecting Your Organization Against Vaccine-Related Phishing Emails
- Be skeptical of any & all vaccine-related emails: Be vigilant for any emails related to a vaccine. Some email scams include offers to get the COVID-19 vaccine early, join a vaccine waiting list, and have the vaccine shipped directly to you. Don’t click on links or open attachments in these emails, as they are typically malicious
- Take advantage of technology designed to protect you against these attacks: Attackers are constantly adapting their tactics to bypass gateways and spam filters, so it’s critical to have a solution that detects and protects against spear-phishing attacks, including brand impersonation, business email compromise, and email account takeover.
- Ensure you have account-takeover protection deployed: Don’t just focus on external email messages. Some of the most devastating and successful spear-phishing attacks originate from compromised internal email accounts. Be sure scammers aren’t using your organization as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised and that remediates in real-time by alerting users and removing malicious emails sent from compromised accounts. Ask your IT provider if the solution you are using has this capability.
- Train employees to recognize and report attacks: Educate your end-users about spear-phishing attacks. Provide employees with up-to-date user awareness training about vaccine-related phishing, seasonal scams, and other potential threats. Ensure your staff can recognize the latest attacks and know how to report them to management or IT right away. Finally, test the effectiveness of your training, and evaluate the most vulnerable users.
- Create strong internal policies to prevent fraud: Businesses of any size should establish and regularly review policies on their IT security, to ensure that personal and financial information is handled properly. Help employees avoid making costly mistakes by creating guidelines and putting procedures in place to confirm all email requests for wire transfers and payment changes. Require in-person or telephone confirmation and/or approval from multiple people for all financial transactions.
If you have any concerns about your email security, please contact Partek for a zero-commitment audit on your IT infrastructure.