We expected that massive media attention surrounding the development and distribution of COVID-19 vaccines would spur bad guys to launch new vaccine-themed phishing campaigns.
Now, on the very day that the UK launched its mass vaccination program, the first real vaccine-themed phishing emails have arrived. Let’s take a look.
The first one uses the very kind of social engineering scheme that we anticipated. This email appears to be trying to exploit a very recent report in The Washington Post that Pfizer may not be able to supply additional doses of its vaccine to the United States in large volumes until sometime in Q2.
Predictably enough, the link in the email body takes unwitting clickers to a credentials phish. To be sure, the language used in the body of that malicious email is a bit stilted — definitely not the effortlessly clear prose one would expect in a professionally written email of this type. But it will do.
The social engineering scheme in both emails exploits some of the basic questions and concerns that users and employees will have about the several vaccines currently on the cusp of widespread distribution:
- How soon will a vaccine be available?
- Will it be safe?
- How can I get it?
- When can I get it?
- How much will it cost?
- Should I get it?
Conclusion
Malicious actors had a field day back in March in April as the Coronavirus washed over countries around the world. It was and still is the perfect tool for social engineering scared, confused, and even downright paranoid end users into opening the door to your organization’s network.
Nine months later, as an entirely predictable round of vaccine-themed phishing emails begins to land in your employees’ inboxes, it is high time to get your users up to speed by stepping them through Security Awareness Training.