Vade Secure Uncovers 1M COVID Vaccine Phishing Emails
Once again, COVID is shaking things up in the security world.
Over the course of the past week, Vade Secure has found a staggering 1M fraudulent emails tied to COVID-19 vaccines. We sat down with Sebastien Goutal, Chief Science Officer at Vade Secure, to discuss the danger of this new spike in scams and what users can do to protect themselves from becoming a victim.
What's the volume of vaccine scams in total this quarter? Is this higher or lower versus the other quarters.
While we don’t have a full picture of total vaccine scams in Q1, there were certainly signs of some early campaigns at the end of February, and a noticeable and significant increase in March. For perspective, however, in just three days this month, our team found more than one million fraudulent emails tied to the Moderna and Pfizer vaccines, which speaks volumes to how many are potentially out there now in total.
Can you break it down by vaccine manufacturer?
The Pfizer survey scam campaigns started around March 10, and Moderna survey scam campaigns started around March 14. Just last week, we identified the first Johnson & Johnson campaign. It is unclear when it actually started, but will likely continue to ramp up like the other ones we’ve seen.
Is there any way to tell if these scams are targeting any particular geo/state?
We are not able to see where exactly these scams are taking place, though it is important to note that we have only seen the Moderna and Pfizer scams in English thus far.
What's the goal of these scams?
The campaigns are using advanced techniques to evade traditional email filters, including injection of random noise in text/plain part, remote images that contain the suspicious message and high reputation services such as Google Cloud Storage to host the images or redirect to the final websites. The primary goal of these scams is to obtain money from the victim, prompting them to pay a shipping fee for a fake reward they are promised to receive from a fraudulent survey. Some of the supposed rewards offered include 100% natural CBD oil, a 30-day Ketosis supplement, a BlackOps Tactical Watch, iPad Pro and more. The secondary goal of these scams, on the other hand, is to collect information about the victim, whether it be their name, address or other personally identifiable information.
Tips for users to avoid becoming a victim?
Remain vigilant, and ensure the scam doesn’t appear too good to be true, such as receiving a gift at a $90 value for filling out a quick online survey. A sense of urgency or requests for information in subject lines can also be a giveaway. For example, some of the email subjects we’ve seen for the Moderna and Pfizer scams include:
Important Pfizer Vaccine Message for you
Pfizer Vaccine Survey Response Needed
Pfizer COVID-19 Survey Response Confirmation