Covid vaccines are now an excuse to launch phishing attacks

We’re protecting people from the coronavirus, but opening them up to other attacks.

The rapid rollout of vaccines to protect against the most harmful effects of the novel coronavirus, COVID-19, has been one of the triumphs of modern science and medicine. Barely a year after the coronavirus was identified as a threat, we now have multiple working vaccines that are being deployed around the world. Lives are being saved.

But just as quickly as we’re protecting people from the coronavirus, we’re opening up the opportunity for them to be struck by a different plight: hack attacks based around the promise of vaccines. 

People are yearning to receive the vaccine, and cyber criminals know that all too well. They’re launching phishing campaigns aimed at targeting people’s desire to be inoculated, and finding massive success. According to Webroot, a cybersecurity company, there has been a 336% increase in phishing domains found by the firm since the world’s first person received their dose of the COVID-19 vaccine.

A huge risk to the public at large

“As 2021 brings the first mass vaccination programs to fight COVID-19, we’re already seeing cybercriminals exploiting the publicity and anticipation surrounding these to target businesses and consumers in phishing and domain spoofing attacks,” says Nick Emanuel, senior director of product at Webroot.

“Scams using keywords based on emotive subjects concerning medical safety and the pandemic are always going to be more effective, especially when they’re in the public interest.”

It’s something that has become more of a concern as the death toll due to the coronavirus pandemic mounts, and people become more panicked about the risks to them personally, and are willing to take chances clicking links they perhaps ordinarily otherwise wouldn’t. The social engineering aspect of preying on people’s fears has been combined with the shift to remote working to cause a perfect storm that works well for criminals.

“Remote work has forced many employees to use personal devices for business-related activities, which presents unique security concerns. With a higher prevalence of malware and generally fewer security defences in place, it’s easier for malware to slip into the corporate network via an employee’s personal device. For businesses, better security systems and training are key for protection, along with backing up data.”

The scams in numbers

It’s a tempting lure for victims to fall prey to: you’re told that you’re next in line to receive the vaccine, but you have to provide information, including bank account details, in order to make sure you’re who you say you are. Once you’ve given them away, you realise you’ve fallen victim to a scam of the worst kind.

Webroot’s analysis shows that these phishing scams aren’t simplistic, and they’re being carried out at a massive, unparalleled scale. More than 4,500 suspicious new domains were identified by Webroot when they looked at their analysis.

The phishing URLs included terms like ‘COVID-19,’ ‘Corona,’ ‘Vaccine,’ ‘Cure COVID’ and more.

Of those 4,500 domain names, 934 specifically included the word ‘vaccine’, in an attempt to convince people that they could gain access to jabs by using the website. A further 611 contained a misspelling of the word ‘vaccine’, showing that the perpetrators were trying to trick people into thinking that they were visiting an official website when they weren’t.

Some domain names that Webroot found particularly concerning included titles such as: ‘COVID Validator,’ ‘Testing Update,’ ‘COVID Travelcard’ and ‘Private Vaccine,’ among others.

“For individuals, defending against these kinds of attacks should involve security awareness training and remaining vigilant in scrutinising the types of emails they receive,” says Emanuel. “This should also be underpinned by cybersecurity technology such as email filtering, anti-virus protection, and strong password policies.”