The COVID-19 vaccine is a prime target of organized crime, warns Interpol. Here, cybersecurity expert Mathieu Gorge shares insights on COVID-19 vaccine scams and how to identify potential fraud.
Over the past few months, threat actors have become increasingly focused on the pharmaceutical industry, now at the biggest risk of supply chain attacks. The challenge is that hackers know that pharma companies are under tremendous pressure to roll out vaccines, and they’re trying to exploit vulnerabilities to launch a wave of attacks against manufacturers and COVID-19 distribution chains.
Earlier this month, Interpol sounded a warningOpens a new window about COVID-19 vaccines becoming a target of â€œorganized crime networks.â€ Also, it’s not surprising to notice an uptick in phishing campaigns. Check Point Software Technologies found over a thousand domains have been created with the keyword â€˜vaccine’. Meanwhile, people are being scammed with a counterfeit COVID-19 vaccine for $250Opens a new window on the darknet.
Recently, hackers targeted the European Medicines Agency (EMA) â€” the breach led to the compromise of sensitive vaccine documents submitted by Pfizer-BioNTech and Moderna. This is the first successful attack on a COVID-19 vaccine supply chain. Though all fingers point to state-backed hackers, details of the hack remain under wraps as the investigation continues. Meanwhile, the U.S. Department of JusticeOpens a new window shut down two domains that scammers positioned as legitimate biotech companies.
Cybercriminals have a particular agenda behind choosing their targets. For instance, nation-state groups seek vaccine data for their own production. Fringe groups want to get their hands on any data which can be sold, while scammers dupe people financially under the pretext of selling a [fake] vaccine dose.
Cybersecurity expert Mathieu GorgeOpens a new window shares insights with Toolbox on COVID-19 vaccine scams â€” a growing threat and how cybercriminals operate. â€œCriminals work together and share information about target groups. Understand that the risk vs. reward ratio is in their favour. It’s going to be hard to catch them and even harder to prosecute them as they will most likely be in a different jurisdiction. This means that even if they are identified, it’s unlikely they will be arrested, let alone prosecuted,â€ he said.
As a result, groups such as older people and those with underlying health conditions, healthcare, and frontline workers are the most vulnerable. If a person falls in this category, they need to ensure NOT to get the vaccine from anyone other than a trusted health provider. Not only can this result in financial loss, but it also leads to the leak of potentially confidential information. Unfortunately, this is serious because unlike a scam in which a long lost relative is giving you their fortune and needs your bank account information to transfer the funds, criminals will also ask you health-related questions.
Gorge adds, â€œIt makes sense and you’d expect it, right? After all, you need vetting questions before taking a vaccine. So now they’ll have your (un)protected health information as well as your financial information. The main issue with this is that it can lead to blackmail whereby a criminal will ask you to pay more or publicize your health info they’ll have collected from you, quite willingly.â€
On an organizational level, hackers can target those with access to information, data, systems, and finance, such as C-Suite executives, executive VPs, and directors.
According to the FBIOpens a new window , people need to look out for:
- Vaccine ads on social media, emails, telemarketing calls, or any other unsolicited source
- Anyone who asks personal/healthcare information
- Anyone who offers to ship vaccine dosesÂ
- Anyone who offers to put their name on the vaccine waiting list or to get early access in exchange for money
- Anyone who asks to be paid out of pocket to get the vaccine
Gorge’s Recommendations to Mitigate the Threats from COVID Vaccine Scams
- Roll out security awareness training covering these scams
- Run phishing simulation exercises regularly
- Inform staff of the most common scams, so they can quickly spot them and report them
- Use days like Global Privacy Day to promote good cyber hygiene and educate all staff
â€œThe key is to map your ecosystem and understand your risk surface. You can then assess the risks, probabilities and potential impact, but you will always end up with residual risk that you need to manage at all times. Security is a journey, not a destination. In other words, good security and compliance must be achieved continuously, not just once a month,â€ Gorge noted.
What to Do if Your Information Is Compromised
Gorge, CEO of VigiTrust, outlines steps to undertake if a malicious actor manages to compromise personal or organizational security.
He advises to alert the bank and/or service provider, change account credentials, and update all of the systems. From an enterprise perspective, he said, â€œIt’s about containing the incident, isolating systems and compromised data, ensuring everything is backed up, updating security, and then investigating. You need to eradicate the issue, which may involve a major network architecture change, just a new security layer, or both. Whichever the case, you need the C-suite and board to drive that initiative.â€
Hackers and criminals will look for the weakest point, which is often a system that may not appear important and might not be patched regularly as it’s not on the radar screen, but it becomes a back door. So they are likely to target systems and execs at the same time to maximize their chances of getting in.