In April of this year, which seems far longer than eight months ago, we posted about an alert from federal agencies warning that cyber threat actors were exploiting the coronavirus pandemic to fuel phishing and other attacks. Those efforts have continued throughout the year with attackers now retooling their messaging around the COVID-19 vaccine. Criminal threat actors know millions are clamoring for information about the vaccine and are working to meet that demand with false information, largely through phishing attacks.

According to an alert from the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC):

COVID-19 vaccine-themed phishing emails may include subject lines that make reference to vaccine registration, information about vaccine coverage, locations to receive the vaccine, ways to reserve a vaccine, and vaccine requirements.

For business and/or personal reasons, millions are clamoring for vaccination information and may let their guard down when they see it. In the process, they may divulge sensitive or financial information, or open malicious links or attachments. Phishing campaigns may employ brand spoofing and impersonate well-known and trusted entities, such as government agencies playing a central and critical role in the response to COVID-19 and the vaccination rollout. Messages such as the one below, for example, can lure an individual to want to participate and provide helpful information.

Other forms of attack target individuals who want a vaccine with advertisements for supposed “legitimate” vaccines, but which are nothing of the sort.  Organizations such as New Jersey’s Office of Homeland Security and Preparedness are working to get accurate information about COVID-19 to the public, such as through its Rumor Control and Disinformation web page. However, having accurate information available may not do enough to foil these attacks.

Organizations may not be able to prevent all attacks, but there are steps they could take to minimize the chance and impact of a successful attack, and to be prepared to respond. Among those steps is the critical need to maintain a level of security awareness, in addition to training. Annual trainings are a start, but may not be enough to keep up with nimble threat actors who deftly reshape their messaging and methods to improve their chances of success. They take in developments around the world and adapting on a far more frequent basis than annually.

Employees should be trained to recognize phishing attacks and dangerous sites, and instructed not to reveal personal, financial or other confidential information about themselves, other employees, customers, and the company. However, ongoing reminders about the morphing nature of these kinds of attacks can be instrumental in preventing them. Considering the past year and the more recent rise in COVID-19 cases, it is easy to understand how compelling information about a vaccine can be, so much so that it may be easy to forget the warnings given during that annual training on an early Monday morning in February.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the…

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.