Security Experts:

Protecting Against Vaccine-Themed Attacks and Misinformation

COVID-19 Vaccine Scam and Misinformation

Just before Christmas, the British Government became the first to approve a COVID-19 vaccine. Since that announcement, not only have several other vaccines been regulated for use, but the worldwide rollout is gaining momentum with other countries approving and accelerating populous vaccination programs.

Now that we can see a proactive rollout of the vaccine, hope has sparked amongst frontline workers, at-risk individuals and members of the public. Once again, it will become possible to see loved ones, travel, or even do simple things like pop out for coffee with friends. We can see the world beginning a journey toward the new normal.

However, the numerous steps involved with distribution and the heightened urgency around the vaccination program have also presented a target for bad actors. Its rollout offers an opportunity to make money. They recognize that people can be so excited about future possibilities that their mental cybersecurity checks could be overwhelmed.

Over the coming weeks, we must be vigilant as there will be a glut of activity and misinformation from cybercriminals wanting to disrupt the rollout or part people from their hard-earned money. With everything moving so fast, now is not the time to adopt new technology, or consider different ways of thinking, to stay ahead of these threats. Now is the time to simply consider a few tips that may prevent over-excitement and help us stay alert to potential threats. 

Advice for Businesses

Ransomware growth is the most expansive business threat, with incidents taking advantage of COVID messaging. That is why it’s increasingly important to keep an eye on what’s happening in the supply chain, as was proven by the damage caused by the attack on SolarWinds recently. Here are a few helpful tips to keep in mind to help ward off supply chain attacks:

• Keep up with education and awareness for staff, mindful that many were totally unprepared for remote working, so continued emphasis remains important.

• Watch over data, monitor usage closely. Who is accessing what data, from where, when, and using what device? If it’s not already in use, this is the time to enable multi-factor authentication tools and ensure that there are clear access policies communicated to staff.

• Keep technology up-to-date. Many organizations rolled out advanced threat tools in response to attacks launched at the start of the pandemic - now is an excellent time to review achievements and make sure that policies and training are up-to-date. Oh, and patch, patch, patch; whatever has been deployed must be kept up-to-date!

Advice for Individuals 

Whilst it’s good to have confidence in a business to keep our information safe, attackers will take advantage of any individual where there’s an opportunity. Most attacks have simply been adapted to take advantage of everyone wanting to be vaccinated as soon as possible.

A few approaches we can all look out for include:

• Phishing – sending fake emails. Not every country has approved every vaccine (in some cases none to date), and where there are programs in place, the distribution will be limited to ensure that those most at risk receive protection first. If you receive an email offering the vaccine as a ‘private’ option, delete it as a potentially dangerous fake. Always check the origination and links of seemingly official emails. 

• Smshing – sending fake text messages. Text messages offering the vaccine are clearly fake, but some offer the chance to make an appointment and are, in fact, harvesting personal data to resell. These can be harder to spot, but remember that an official text will never request bank account details, copies of personal documents or highly confidential information.

• Fake websites used to steal personal data. There have been thousands of sites spun up to offer vaccine services, but you can avoid being scammed by checking that the domain is valid. Official sites will use an exact domain name ending in a government suffix, for example, https://www.cdc.gov/vaccines/covid-19/index.html/. If the website name seems unusual – perhaps numbers and letters, or unreadable – then avoid.

• Queue-jumping opportunities. At this stage, the Coronavirus vaccine is typically provided at no direct cost to individuals, either via government-/centrally-funded or via insurance cover. If you receive an email, SMS, telephone call or even a knock at the door offering the chance to pay for a vaccination, turn it away. At best, you will be parted from cash; at worst, there have been cases of people paying for fake injections to be administered. 

Over the coming months, we will see more and more countries coming online to provide a vaccination program using the current and other validated vaccinations. In some countries, such as the US, these may be via insurance services, in others, such as Canada and much of Europe, it could be centrally funded. However, whichever route a country takes, the risks remain valid: Thousands of email and website scams waiting and wanting to take advantage of anxious and hopeful people.

Be VERY careful; if it looks fake delete it. You can always double-check with your healthcare provider so that legitimate communications are not overlooked.

view counter
Laurence Pitt is Global Security Strategy Director at Juniper Networks. He joined Juniper in 2016 and is the security subject matter expert for the corporate marketing team. He has over twenty years of cyber security experience, having started out in systems design and moved through product management in areas from endpoint security to managed networks. In his role at Juniper, he articulates security clearly to business and across the business, creating and having conversations to provoke careful thought about process, policy and solutions. Security throughout the network is a key area where Juniper can help as business moves to the cloud and undertakes the challenge of digital transformation.