You can add one more coronavirus-related cybercrime effort to the list of unthinkables. On top of work-at-home scams, tax scams, and phony vaccine websites, cybercriminals are also using the COVID-19 vaccine to steal Microsoft software credentials, infect computer systems with malware, and cheat innocent victims out of sizable amounts of money.
Barracuda Networks researchers report that between October 2020 and January 2021, the average number of COVID-19 vaccine-related spear phishing attacks ballooned by 26 percent. “Spear phishing” attacks are attempts directed at specific individuals or companies that give scammers the potential to gather and use personal information about their target to increase their probability of success of the attack.
The angles cybercriminals are working
Barracuda researchers found that the two types of vaccine-related, spear phishing attacks that were employed the most were compromising business emails and brand impersonation -- both methods that try to capitalize on fear and uncertainty by using urgency, social engineering, and other common tactics to lure victims into their cyber lair.
In the phishing emails, the cyber criminals predominant move is to mimic a well-known brand or organization -- including the Centers for Disease Control and Prevention (CDC).
If they can get the victim to bite on that angle, the next move is to get the victim to click on a link to a phishing website that promotes one of three things: early access to vaccines, offering vaccinations in exchange for a payment, or checking vaccine eligibility.
Business email compromise
Over the last few years, cyber crooks have become quite fond of using business email compromise (BEC) to impersonate individuals within an organization or their company’s business partners. It’s been effective, too. In 2015, wireless-networking firm Ubiquiti Networks publicly disclosed that it had fallen for such a scam — and lost $46.7 million as a result.
The FBI’s Internet Crime Complaint Center (IC3) BEC scams rake in more than 150,000 complaints a year and cost businesses more than $2 billion.
“Recently, these highly targeted attacks turned to vaccine-related topics,” noted ThreatPost’s Fleming Shi. “We’ve seen attacks impersonating employees needing an urgent favor while they are getting a vaccine or an HR specialist advising that the organization has secured vaccines for their employees.”
Protecting against vaccine-related phishing
Both Shi and the FBI offered the public some sage advice on what to be on the lookout for and what to do when it comes to these spear phishing attempts.
Beware of offers to get the vaccine early: Shi says that the #1 thing everyone should be cautious of are offers to get the COVID-19 vaccine early, join a vaccine waiting list, or have the vaccine shipped directly to you. Don’t click on links -- and, even more importantly, don’t open attachments in these emails because they are usually malicious.
Look out for changes in email addresses: The FBI warns people to be wary of last minute changes in established email account addresses. If you notice even the slightest change to someone’s email address, it’s worth confirming that change is for real.
Enable multi-factor authentication for all email accounts: Multi-factor authentication’s strength comes in handy for more sensitive accounts, e.g. a business email address. Using password managers to help create strong passwords are also a smart move.
“I recommend everyone to follow good security practices such as using unique passwords for every service that they sign up to and using two-factor authentication whenever possible,” Jim Scott, a cybersecurity researcher, recently told ConsumerAffairs.
Prohibit automatic forwarding of email to external addresses: During one incident in August 2020, the FBI reported that one company using a web-based email service got hit because of an email rule that auto-forwarded emails with the search terms "bank," "payment," "invoice," "wire," or "check" to the cyber criminal’s email address. Microsoft offers guidance on how to put that protection in place for Microsoft Office 365 users.
What to do if you’re scammed
The FBI qualifies Business Email Compromises as a “sophisticated” scam, but all may not be lost if you fall for it. When someone is scammed by a BEC, the FBI recommends taking these steps:
Contact the originating Financial Institution as soon as fraud is recognized to request a recall or reversal, as well as a Hold Harmless Letter or Letter of Indemnity.
File a detailed complaint with www.ic3.gov. It is vital that the complaint contains all required data in provided fields, including banking information.