This latest phishing scam impersonates the UK’s National Health Service, telling recipients that are eligible for the vaccine in order to collect valuable banking and credit card details.
I really despise these scammers. At a time when people are searching for a way to protect themselves, these lowlifes of the cybercriminal world prey on those in fear. This latest scam has recently hit the UK where unsuspecting victims were sent an official-looking email purporting to be from the UK government with a simple message – that the recipient has been selected for the vaccine.
Would-be victims who click the “Accept Invitation” link are taken to a legitimate-looking website that appears to be the NHS:
Source: Bleeping Computer
Once victims again choose to accept the invitation, they are prompted to answer a series of questions that collect personal details including the victim’s name, their mother's maiden name, address, and mobile number, as well as credit card and banking details.
While this scam feels like it’s targeting individuals, the very same scam is possible within your organization; all it takes is a little spin on the theming (e.g., make the email be from the HR department about a company-wide vaccination with a link to the rollout schedule that happens to attempt to collect Office 365 credentials) to be business-worthy.
Organizations need to take attacks that seem to target individuals over a corporation, as the shift in a campaign to steal corporate data only requires a few changes in how an attack like the one above is executed.
Putting users through Security Awareness Training is an effective way to help them protect themselves and the organization, regardless of how well-executed a phishing campaign is.