Hackers stepped up vaccine-related phishing attacks between Nov 2020 and Jan 2021.
Cybersecurity attack data analyzed between October 2020 and January 2021 has been showing an expected increase in vaccine-related scams and phishing schemes, including a 12% spike in November.
As the world rushed to get supplies of test vaccines, hackers rushed to leverage the momentum generated by news coverage for use in their spear-phishing campaigns, peaking just as the first vaccines were being announced in November 2020.
According to Mark Lukie, Systems Engineer Manager, Barracuda (Asia-Pacific), which performed the analysis: “In the same way we’ve seen cybercriminals capitalize on the global pandemic with coronavirus-related phishing attacks, cybercriminals are now trying to leverage the vaccine to steal money and personal information.”
Vaccine social engineering
Capitalizing on hope, fear and also uncertainty, the attacks can involve social engineering and other common tactics to lure victims.
Barracuda researchers identified two predominant types of spear-phishing attacks using vaccine-related themes: brand impersonation and business email compromise.
- In the brand impersonation attacks, scammers used vaccine-related phishing emails to impersonate well-known brands and organizations to included links to phishing websites advertising early access to vaccines in exchange for payment. In some cases, scammers impersonated healthcare professionals requesting personal information to check eligibility for a vaccine.
- In the business email compromise (BEC) attacks, attackers posed as employees within an organization, or as HR specialists advising on vaccines for the organization.
BEC attacks are particularly dangerous, giving hackers access to business accounts that they can use to send mass phishing and spam campaigns to as many individuals as possible before their activity is detected and blocked.
According to Lukie, educating personnel and IT teams on recognizing and reporting these kinds of attacks is the first line of defence. Having stringent policies around how personal and financial information is handled can help all members of your organization to avoid falling for scammers’ tricks.
“This should ideally be backed up by a security solution that uses AI and machine learning to detect and remediate such attempts in real-time, which could mean the difference between a successful spear-phishing attack and an unsuccessful one,” he advised.