Throughout 2020 we saw cybercriminals leveraging the COVID-19 pandemic as a way to execute phishing scams.
And while we’re now a year into this pandemic, crims are still using COVID-19 as a way to lure in phishing victims but now the carrot is vaccines.
Researchers at Mimecast have identified several phishing campaigns which leverage the rush to get vaccines as a way to tempt people into taking actions they may not ordinarily take. The concern is just how convincing these phishing attempts look.
It’s not just surveys though. Some phishing emails appear to alert employees that they have tested positive for COVID-19 before directing them to an external link.
From there criminals can glean usernames, passwords and other information rather easily.
“Any person that makes the mistake of clicking on the links in these emails or submitting their real login details to the false websites could not only compromise their own security, but potentially put their entire organisation at risk,” explains Brian Pinnock, a cybersecurity expert at Mimecast.
“This highlights the need for organisations to conduct regular cybersecurity awareness training to ensure every employee knows how to identify – and more importantly, avoid – risky behaviour. This should be built into any security team’s defence in depth strategy, which ensures cyberattacks don’t make their way into an organisation, by using multiple layers of security, including having a cyber aware workforce,” the researcher added.
Some tips the researcher highlights include:
- Be proactive: Go directly to your local government website/hospital to get the information that you need and assume attackers are taking advantage of this time of disruption.
- Be suspicious of emails, phone calls, or messages from people you don’t know, trying to get your attention with updates about the vaccines.
- Always check URLs. Hackers are creating sites that look like official healthcare institutions and vaccine providers. Navigate directly to official websites such the Department of Health.
- Use strong and unique passwords for all your accounts when signing up for an account and use MFA/2FA whenever possible.
- Don’t connect to networks you don’t recognise. Research vaccine information on your secure home WiFi network, which should be protected by a strong password.
- Be extra cautious if you’re using a company-owned device – threat actors seek access to the organisation you work for, with the intention of stealing data.
- Make sure your device has the most current updates and patches.
- Be on the lookout for Vishing attempts – be very suspicious of any caller who asks you to share login information over the phone.
“With interest in vaccine-related information at an all-time high as countries roll out COVID-19 vaccines, cybercriminals are seeing a golden opportunity to subvert user behaviour in their attempts at compromising company networks, with monetary gain the most likely objective,” says Pinnock.
Cybercriminals aren’t letting up and we suspect it will be a long time before we can say goodbye to COVID-19 related scams.
[Image – CC 0 Pixabay]