(Special thanks to author Fleming Shi, CTO of Barracuda Networks. Credit also to the Federal Communications Commission for their data on vaccine-related phishing scams. Contents have been edited for length. Please enjoy this very interesting and informative read!
Corporate Armor can help you with solutions that fight phishing campaigns and other scams. Solutions from Fortinet, Check Point, and Barracuda Sentinel (reach out to us). But some of the best defense against phishing type scams is alertness and common-sense.)
Well, effective COVID-19 vaccines are thankfully being distributed. And “herd immunity” is hopefully on the way. But of course, scammers are trying to capitalize on the rollout.
For example, the Federal Trade Commission has posted an alert about COVID-19 vaccine phishing scams. In this case, it’s a ‘survey.’ People are getting emails and texts asking them to complete a limited-time survey. Thes “surveys” are about the Pfizer, Moderna, or AstraZeneca vaccines. In exchange, they get a “free reward,” for which they’re asked to pay shipping fees. This is a scam. There’s no survey and no reward. So do NOT respond to any such message and don’t click any links.
Phishing scams that use the COVID-19 vaccination as a hook
Cybercriminals have capitalized on the global pandemic with coronavirus-related phishing attacks. Now they are trying to leverage the vaccine to steal money and personal information. The FBI issued a warning in December about emerging COVID-related fraud schemes.
Barracuda Networks researchers found that hackers are using vaccine-related emails in their targeted spear-phishing attacks. Pharmaceutical companies like Pfizer and Moderna announced availability of vaccines in November 2020. Predictably, the number of vaccine-related spear-phishing attacks increased by 26% by January.
These scams capitalize on fear and uncertainty. The attacks use urgency, social engineering, and other common tactics to lure victims. The researchers identified two predominant types of vaccine-related spear-phishing attacks. They are brand impersonation and business email compromise.
Vaccine-related phishing scams impersonate a well-known brand or organization. They often include a link to a phishing website advertising early access to vaccines. In exchange for a payment, of course. They may even impersonate health care professionals requesting personal information to check eligibility for a vaccine.
Business email compromise
Cybercriminals also use phishing attacks to compromise and takeover business accounts. Once inside, more sophisticated hackers will conduct reconnaissance activity. Then, they launch targeted attacks. Usually, they use these legitimate accounts to send mass phishing and spam campaigns. These will be sent to as many individuals as possible before their activity is detected and they are shut down.
Protecting against vaccine-related phishing scams
Be skeptical of all vaccine-related emails. Some email scams include offers to get the COVID-19 vaccine early, join a vaccine waiting list, or have the vaccine shipped directly. These are fraudulent.
Here’s some more good advice from the FTC
Don’t pay to sign up for the vaccine. Anyone who asks for a payment to put you on a list, make an appointment is a scammer. Also, ignore sales ads for the COVID-19 vaccine. You can’t buy it anywhere, including online pharmacies. The vaccine is only available at federal and state-approved locations. Places like vaccination centers and pharmacies.
Also, watch for unexpected or unusual texts. Don’t click on links in text messages – especially messages you didn’t expect. If your health care provider or pharmacist has used text messages to contact you in the past, you might get a text from them about the vaccine. If you get a text, call your health care provider or pharmacist directly to make sure they sent the text. Scammers are texting, too.
Don’t open emails, attachments, or links from people you don’t know, OR that come unexpectedly. You could download dangerous malware onto your computer or phone. And don’t share your personal, financial, or health information with people you don’t know. This is pretty much ALWAYS true in every circumstance. Just common sense. But no one from a vaccine distribution site, health care provider, pharmacy, health insurance company or Medicare, will call, text, or email you asking for your Social Security, credit card, or bank account number to sign you up to get the vaccine. PERIOD.
In short, you can’t pay to skip the line or reserve your spot. OR to join a critical trial. Be wary of any inbound calls or texts that ask for your Social Security number, financial details, or insurance information. For ANY reason.
And report COVID-19 phishing scams to the FTC online at reportfraud.ftc.gov.
FCC Consumer Information
The FCC COVID-19 Consumer Guide has information about coronavirus scams and how you can avoid becoming a victim, along with helpful tips on cell phone hygiene and optimizing your home wireless network, and more.
Tips for COVID phishing scams
|Don’t open emails, attachments, or links from people you don’t know|
|Don’t share your personal, financial, or health information with strangers|
|You can’t pay to skip the line or reserve your spot for a COVID vaccine|
|The vaccine is only available at federal and state-approved locations|