Cybercriminals leveraging the Covid-19 vaccine rush to breach people

Cybercriminals leveraging the Covid-19 vaccine rush to breach people

Mimecast has warned of phishing campaigns by global cybercriminals aiming to leverage the hype around vaccine rollouts, to trick unsuspecting users into potentially risky behaviour. The email campaigns were detected by Mimecast researchers, and include seemingly legitimate communication from HR departments asking recipients to register for surveys, view supposed vaccination schedules, or log into fake landing pages using their actual login details.

"Any person that makes the mistake of clicking on the links in these emails or submitting their real login details to the false websites could not only compromise their own security, but potentially put their entire organisation at risk," says Brian Pinnock, cybersecurity expert at Mimecast. "This highlights the need for organisations to conduct regular cybersecurity awareness training to ensure every employee knows how to identify - and more importantly, avoid - risky behaviour. This should be built into any security team’s defence in depth strategy, which ensures cyberattacks don’t make their way into an organisation, by using multiple layers of security, including having a cyber aware workforce. With interest in vaccine-related information at an all-time high as countries roll out COVID-19 vaccines, cybercriminals are seeing a golden opportunity to subvert user behaviour in their attempts at compromising company networks, with monetary gain the most likely objective."

Mimecast has provided a list of tips to help keep employees safe from this type of email-based attack:

  • Be proactive: Go directly to your local government website/hospital to get the information that you need and assume attackers are taking advantage of this time of disruption.
  • Be suspicious of emails, phone calls, or messages from people you don’t know, trying to get your attention with updates about the vaccines.
  • Always check URLs. Hackers are creating sites that look like official healthcare institutions and vaccine providers. Navigate directly to official websites such the Department of Health.
  • Use strong and unique passwords for all your accounts when signing up for an account and use MFA/2FA whenever possible.
  • Don’t connect to networks you don’t recognise. Research vaccine information on your secure home WiFi network, which should be protected by a strong password.
  • Be extra cautious if you’re using a company-owned device - threat actors seek access to the organisation you work for, with the intention of stealing data.  
  • Make sure your device has the most current updates and patches.
  • Be on the lookout for Vishing attempts - be very suspicious of any caller who asks you to share login information over the phone.