The COVID-19 pandemic has exposed the lengths and depths to which cybercriminals will go to compromise their victims and exploit a catastrophe. Early in the pandemic, criminals leveraged the confusion around the rapid shift to remote work to increase their attacks and launch email scams that took advantage of the lack of information available about efforts to fight the spread of the disease. Now that vaccines are available, cyberattacks have expanded to include phishing scams centered around vaccine access.
The FBI issued a warning in December about this emerging threat, outlining common email and phone scams. Things have only gotten worse in the ensuing months. Barracuda’s analyses found that vaccine-related emails were increasingly being used for spear phishing attacks. After the first vaccines were announced in November, these attacks increased by 12 percent. By the end of January, they were up by 26 percent.
Brand impersonation has been one of the go-to strategies for these attacks, with criminals impersonating healthcare providers, the Centers for Disease Control, the FDA, and vaccine manufacturers like Pfizer. In these attacks, the emails are crafted to trick people into providing personal information via links to phishing websites.
Business email compromise (BEC) attacks leverage a compromised internal email account to disseminate vaccine-related phishing emails. Additionally, advertisements for vaccines in underground forums or marketplaces have also begun to pop up. Sellers on these forums are charging hundreds of dollars for vaccine doses that are either of dubious provenance or non-existent.
Protecting your business and your clients will require a multi-pronged, holistic approach that includes both training and advanced cybersecurity technology:
Alert Staff and Clients about The Threat
Many of these phishing scams involve offers to join a vaccine waitlist, opportunities for early vaccination, or even more outrageous claims (like shipping the vaccine to your home). Ensure your employees and clients are aware that they can expect an uptick in these communications and avoid opening the emails and clicking on links or attachments.
Initiate user training so that staff know how to recognize common types of attacks and are aware of proper reporting procedures. There are also phishing simulation solutions available to evaluate your training programs and identify users that require additional attention.
Leverage Network Security Technology
Like other types of phishing attacks, these vaccine-based scams rely on exploiting human psychology as much as getting around the firewall. More complex attacks can be nearly impossible to detect using traditional email filters. Leveraging technology that uses artificial intelligence (AI) to better identify suspicious emails based on past activity is much more effective.
AI-based systems are also better at quickly recognizing account takeover attacks via compromised internal accounts. These solutions can identify the attack, issue alerts, and automatically remove malicious emails much more rapidly than manual approaches.
Revisit Internal Policies to Protect Against Fraud
Training and technology are only part of the solution. There has to be a good foundation of strong policies in place to protect data and financial information. Financial transactions should never be finalized via email alone (phone calls or in-person discussions should be required). Multi-layered approvals for financial and data transfers may also be necessary, depending on the business model.
Speed up Migration Towards SaaS and Cloud
Look for opportunities to migrate away from legacy email infrastructure such as Microsoft Exchange Servers, and re-examine any on-premises software stack with a long-running process and inadequate support and maintenance resources. Moving to a SaaS offering by the same vendor will give you a better chance of fighting off attackers feasting on vulnerable software stacks. Software development tools and content management systems are just a couple of examples of business-critical applications that need to be considered in SaaS and cloud migration planning. These systems can be the feeding ground for lateral movements and second and third-wave attacks.
As was the case with the attacks launched early in the pandemic, these vaccine-related scams rely on general confusion, fear, unreliable information about the vaccines and the shortage of vaccines to exploit potential victims. For companies trying to protect their networks and data, education is a critical weapon. Employees should be educated about the emerging cyber threat and be given useful information (from the human resources department, for example) about vaccination schedules and availability, as well as legitimate links to local health resources and vaccination scheduling sites.
This type of training and information, combined with strong policies and AI-based technology, can help protect companies against cyber-attacks while work continues to constrain the pandemic.