Beware of phishing campaigns that use the COVID-19 vaccination as a hook.
In the same way they’ve capitalized on the global pandemic with coronavirus-related phishing attacks, cybercriminals are now trying to leverage the vaccine to steal money and personal information. The FBI issued a warning in December about emerging fraud schemes related to COVID-19 vaccines.
In an analysis conducted between October 2020 and January 2021, Barracuda researchers found that hackers are increasingly using vaccine-related emails in their targeted spear-phishing attacks. After pharmaceutical companies like Pfizer and Moderna announced availability of vaccines in November 2020, the number of vaccine-related spear-phishing attacks increased by 12%. By the end of January, the average number of vaccine-related spear-phishing attacks was up 26% since October.
Here’s a closer look at the latest vaccine-related phishing attacks and solutions to help detect, block, and recover from them.
Vaccine-related phishing — Cybercriminals are taking advantage of the heightened focus on the COVID-19 vaccine to launch spear-phishing attacks. Capitalizing on fear and uncertainty, the attacks using urgency, social engineering, and other common tactics to lure victims.
As pharmaceutical companies rushed to develop and test vaccines, hackers rushed to leverage the momentum generated by news coverage in their phishing campaigns. The number of spear-phishing attacks targeting businesses peaked just as the first vaccines were being announced. They leveled off during the holidays. (Attacks targeting businesses typically decline substantially during the holiday season.)
While most of vaccine-related phishing attacks analyzed by Barracuda researchers were scams, many used more targeted techniques such as brand impersonation and business email compromise.
Vaccine-related phishing emails impersonated a well-known brand or organization and included a link to a phishing website advertising early access to vaccines, offering vaccinations in exchange for a payment, or even impersonating health care professionals requesting personal information to check eligibility for a vaccine.
Business email compromise
Attackers use business email compromise (BEC) to impersonate individuals within an organization or their business partners. In recent years, it has been one of the most damaging email threats, costing business over $26 billion dollars. Recently, these highly targeted attacks turned to vaccine-related topics. We’ve seen attacks impersonating employees needing an urgent favor while they are getting a vaccine or an HR specialist advising that the organization has secured vaccines for their employees.
Use of compromised accounts in vaccine-related fraud
Barracuda researchers also have visibility into not only email messages coming from outside of the organizations but also internal communication. As a result, they see a lot of fraudulent messages being sent internally—usually from compromised account.
Cybercriminals use phishing attacks to compromise and takeover business accounts. Once inside, more sophisticated hackers will conduct reconnaissance activity before launching targeted attacks. More often than not, they use these legitimate accounts to send mass phishing and spam campaigns to as many individuals as possible before their activity is detected and they are locked out of an account.
That’s why when looking at these lateral phishing attacks overtime, there are these huge spikes of activity. Interestingly, vaccine-related lateral phishing attacks spike around the same time as major COVID-19 vaccines are announced and approved around the world.
Protecting against vaccine-related phishing
Be skeptical of all vaccine-related emails
Some email scams include offers to get the COVID-19 vaccine early, join a vaccine waiting list, and have the vaccine shipped directly to you. Don’t click on links or open attachments in these emails, as they are typically malicious.
Take advantage of artificial intelligence
Scammers are adapting email tactics to bypass gateways and spam filters, so it’s critical to have a solution that detects and protects against spear-phishing attacks, including brand impersonation, business email compromise, and email account takeover. Deploy purpose-built technology that doesn't rely solely on looking for malicious links or attachments. Using machine learning to analyze normal communication patterns within your organization allows the solution to spot anomalies that may indicate an attack.
Deploy account-takeover protection
Don’t just focus on external email messages. Some of the most devastating and successful spear-phishing attacks originate from compromised internal accounts. Be sure scammers aren’t using your organization as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised and that remediates in real time by alerting users and removing malicious emails sent from compromised accounts.
Train staffers to recognize and report attacks
Educate your users about spear-phishing attacks. Provide employees with up-to-date user awareness training about vaccine-related phishing, seasonal scams, and other potential threats. Ensure staffers can recognize the latest attacks and know how to report them to IT right away. Use phishing simulation for email, voicemail, and SMS to train users to identify cyberattacks, test the effectiveness of your training, and evaluate the most vulnerable users.
Set up strong internal policies to prevent fraud
All companies should establish and regularly review existing policies, to ensure that personal and financial information is handled properly. Help employees avoid making costly mistakes by creating guidelines and putting procedures in place to confirm all email requests for wire transfers and payment changes. Require in-person or telephone confirmation and/or approval from multiple people for all financial transactions.
This Threat Spotlight was authored by Fleming Shi with research support from Tanner Arrizabalaga, Wenting Zhang, Tanvee Desai, and Olesia Klevchuk of the Barracuda Sentinel team.
Fleming Shi is Chief Technology Officer at Barracuda, where he leads the company’s threat research and innovation engineering teams in building future technology platforms. He has more than 20 patents granted or pending in network and content security. Connect with him on LinkedIn.