In the month following the first UK/global Pfizer vaccine dose was given to 90-year-old Margaret Keenan, cyber resilience company Webroot’s Real-Time Anti-Phishing protection system** found a rise in malicious URLs and terms to target vulnerable people, using subjects such as ‘Vaccine’ and ‘Cure COVID’ to compel them to click on malicious links and open illegitimate emails. This includes:

• Over 4,500 new suspicious domains found, which contained a combination of words relating to ‘COVID-19,’ ‘Corona,’ ‘Vaccine,’ ‘Cure COVID’ and more

• 934 domains specifically included the word ‘Vaccine’ within the title

• 611 domains contained a miss-spelling of the word ‘Vaccine’

• 2,295 contained ‘COVID’ in the title

• 622 domains contained the words ‘Test’ or ‘Testing’ in their title

• Domain titles were extremely concerning, including titles such as: ‘COVID Validator,’ ‘Testing Update,’ ‘COVID Travelcard,’ ‘Private Vaccine,’ among others.

The total use of the word ‘vaccine’ found within suspicious domain names between the 8 December and 6 January was cited as a 336% increase, when compared with the month of March 2020. Webroot also observed that there was an 94.8% increase from the 8 December to 6 January, compared with the previous 30 days leading up to this first date.

“As 2021 brings the first mass vaccination programs to fight COVID-19, we’re already seeing cybercriminals exploiting the publicity and anticipation surrounding these to target businesses and consumers in phishing and domain spoofing attacks,” warns Nick Emanuel, senior director of product at Webroot. “Scams using keywords based on emotive subjects concerning medical safety and the pandemic are always going to be more effective, especially when they’re in the public interest.”

Remote work has forced many employees to use personal devices for business-related activities, which presents unique security concerns, he adds. “With a higher prevalence of malware and generally fewer security defences in place, it’s easier for malware to slip into the corporate network via an employee’s personal device. For businesses, better security systems and training are key for protection, along with backing up data.

“For individuals, defending against these kinds of attacks should involve security awareness training and remaining vigilant in scrutinising the types of emails they receive. This should also be underpinned by cybersecurity technology, such as email filtering, anti-virus protection and strong password policies.”

*https://www.bbc.co.uk/news/uk-england-55560604 **https://www.webroot.com/gb/en/business/threat-intelligence/internet/real-time-anti-phishing