Weāre protecting people from the coronavirus, but opening them up to other attacks.
The rapid rollout of vaccines to protect against the most harmful effects of the novel coronavirus, COVID-19, has been one of the triumphs of modern science and medicine. Barely a year after the coronavirus was identified as a threat, we now have multiple working vaccines that are being deployed around the world. Lives are being saved.
But just as quickly as weāre protecting people from the coronavirus, weāre opening up the opportunity for them to be struck by a different plight: hack attacks based around the promise of vaccines.Ā
People are yearning to receive the vaccine, and cyber criminals know that all too well. Theyāre launching phishing campaigns aimed at targeting peopleās desire to be inoculated, and finding massive success. According to Webroot, a cybersecurity company, there has been a 336% increase in phishing domains found by the firm since the worldās first person received their dose of the COVID-19 vaccine.
A huge risk to the public at large
āAs 2021 brings the first mass vaccination programs to fight COVID-19, weāre already seeing cybercriminals exploiting the publicity and anticipation surrounding these to target businesses and consumers in phishing and domain spoofing attacks,ā says Nick Emanuel, senior director of product at Webroot.
āScams using keywords based on emotive subjects concerning medical safety and the pandemic are always going to be more effective, especially when theyāre in the public interest.ā
Itās something that has become more of a concern as the death toll due to the coronavirus pandemic mounts, and people become more panicked about the risks to them personally, and are willing to take chances clicking links they perhaps ordinarily otherwise wouldnāt. The social engineering aspect of preying on peopleās fears has been combined with the shift to remote working to cause a perfect storm that works well for criminals.
āRemote work has forced many employees to use personal devices for business-related activities, which presents unique security concerns. With a higher prevalence of malware and generally fewer security defences in place, itās easier for malware to slip into the corporate network via an employeeās personal device. For businesses, better security systems and training are key for protection, along with backing up data.ā
The scams in numbers
Itās a tempting lure for victims to fall prey to: youāre told that youāre next in line to receive the vaccine, but you have to provide information, including bank account details, in order to make sure youāre who you say you are. Once youāve given them away, you realise youāve fallen victim to a scam of the worst kind.
Webrootās analysis shows that these phishing scams arenāt simplistic, and theyāre being carried out at a massive, unparalleled scale. More than 4,500 suspicious new domains were identified by Webroot when they looked at their analysis.
The phishing URLs included terms like āCOVID-19,ā āCorona,ā āVaccine,ā āCure COVIDā and more.
Of those 4,500 domain names, 934 specifically included the word āvaccineā, in an attempt to convince people that they could gain access to jabs by using the website. A further 611 contained a misspelling of the word āvaccineā, showing that the perpetrators were trying to trick people into thinking that they were visiting an official website when they werenāt.
Some domain names that Webroot found particularly concerning included titles such as: āCOVID Validator,ā āTesting Update,ā āCOVID Travelcardā and āPrivate Vaccine,ā among others.
āFor individuals, defending against these kinds of attacks should involve security awareness training and remaining vigilant in scrutinising the types of emails they receive,ā says Emanuel. āThis should also be underpinned by cybersecurity technology such as email filtering, anti-virus protection, and strong password policies.ā