After capitalising on the global pandemic with coronavirus-related phishing attacks, cybercriminals are now shifting their focus towards leveraging the vaccine to steal money and personal information. In an analysis conducted between October 2020 and January 2021, researchers at Barracuda Networks, a trusted partner and a leading provider of cloud-enabled security solutions, found that hackers are increasingly using vaccine-related emails in their targeted spear-phishing attacks. The number of vaccine-related phishing attacks increased by 12% after pharmaceutical companies like Pfizer and Moderna announced the availability of vaccines in November 2020 and by the end of January 2021, the average number of attacks was up 26%.
Cybercriminals are taking advantage of the heightened fear and uncertainty prevailing around the COVID-19 vaccine to launch attacks using urgency, social engineering, and other common tactics to lure victims. Barracuda researchers identified two predominant types of spear-phishing attacks using vaccine-related themes: brand impersonation and business email compromise.
While most vaccine-related phishing attacks analysed by Barracuda researchers were scams, many used more targeted techniques such as brand impersonation and business email compromise. Vaccine-related phishing emails impersonated a well-known brand or organisation and included a link to a phishing website advertising early access to vaccines, offering vaccinations in exchange for a payment, or even impersonating health care professionals requesting personal information to check eligibility for a vaccine.
Business Email Compromise (BEC), which has been one of the most damaging email threats in the past few years, costing businesses over US$26 billion dollars is now being used by attackers for vaccine-related topics. Attackers are conducting highly targeted attacks to impersonate employees needing an urgent favour while they are getting a vaccine or an HR specialist advising that the organisation has secured vaccines for their employees.
Speaking on the threat spotlight, Murali Urs, Barracuda Networks India said, “At Barracuda, we can identify email messages coming not just from outside of the organisations but also internal communication. As a result, a lot of fraudulent messages are being sent internally, usually from compromised accounts. Cybercriminals use phishing attacks to compromise and take over business accounts. Once inside, sophisticated hackers conduct reconnaissance activity before launching targeted attacks. They mostly use legitimate accounts to send mass phishing and spam campaigns to as many individuals as possible before their activity is detected and they are locked out of an account. That’s why when looking at these lateral phishing attacks over time, we see these huge spikes of activity. Interestingly, vaccine-related lateral phishing attacks have been spiking around the same time when major COVID-19 vaccines are announced and approved around the world.”
To ensure protection against vaccine-related phishing, businesses need to stay vigilant of all vaccine-related emails. They must avoid clicking on typical links or open attachments that include offers to get the COVID-19 vaccine early, join a vaccine waiting list, and have the vaccine shipped directly to you.
Malicious scammers are adapting email tactics to bypass gateways and spam filters. Businesses need to deploy purpose-built technologies like machine learning to analyse normal communication patterns within their organizations to spot anomalies that may indicate an attack. Moreover, considering that the most devastating and successful spear-phishing attacks originate from compromised internal accounts, businesses should also deploy technology that uses artificial intelligence to recognise the compromised accounts and alert users to remove the malicious emails sent from compromised accounts. They must also arrange for account-takeover protection to ensure that scammers are not using their organisation as a base camp to launch attacks.
Educating the users and employees with up-to-date user awareness training about vaccine-related phishing, seasonal scams, and other potential threats are yet another significant step to avert such attacks. Using phishing simulation for email, voicemail, and SMS can train users to identify cyberattacks, test the effectiveness of the training, and evaluate the most vulnerable users.
All companies should establish and regularly review existing policies, to ensure that personal and financial information is handled properly. They should set up strong internal policies to prevent any kind of fraud in the future.