In April of this year, which seems far longer than eight months ago, we posted about an alert from federal agencies warning that cyber threat actors were exploiting the coronavirus pandemic to fuel phishing and other attacks. Those efforts have continued throughout the year with attackers now retooling their messaging around the COVID-19 vaccine. Criminal threat actors know millions are clamoring for information about the vaccine and are working to meet that demand with false information, largely through phishing attacks.

According to an alert from the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC):

COVID-19 vaccine-themed phishing emails may include subject lines that make reference to vaccine registration, information about vaccine coverage, locations to receive the vaccine, ways to reserve a vaccine, and vaccine requirements.

For business and/or personal reasons, millions are clamoring for vaccination information and may let their guard down when they see it. In the process, they may divulge sensitive or financial information, or open malicious links or attachments. Phishing campaigns may employ brand spoofing and impersonate well-known and trusted entities, such as government agencies playing a central and critical role in the response to COVID-19 and the vaccination rollout. Messages such as the one below, for example, can lure an individual to want to participate and provide helpful information.

Other forms of attack target individuals who want a vaccine with advertisements for supposed “legitimate” vaccines, but which are nothing of the sort.  Organizations such as New Jersey’s Office of Homeland Security and Preparedness are working to get accurate information about COVID-19 to the public, such as through its Rumor Control and Disinformation web page. However, having accurate information available may not do enough to foil these attacks.

Organizations may not be able to prevent all attacks, but there are steps they could take to minimize the chance and impact of a successful attack, and to be prepared to respond. Among those steps is the critical need to maintain a level of security awareness, in addition to training. Annual trainings are a start, but may not be enough to keep up with nimble threat actors who deftly reshape their messaging and methods to improve their chances of success. They take in developments around the world and adapting on a far more frequent basis than annually.

Employees should be trained to recognize phishing attacks and dangerous sites, and instructed not to reveal personal, financial or other confidential information about themselves, other employees, customers, and the company. However, ongoing reminders about the morphing nature of these kinds of attacks can be instrumental in preventing them. Considering the past year and the more recent rise in COVID-19 cases, it is easy to understand how compelling information about a vaccine can be, so much so that it may be easy to forget the warnings given during that annual training on an early Monday morning in February.