In April 2020, we reported on a large influx of COVID-19 themed phishing attacks starting in February 2020. With March 2021 marking the one-year anniversary that the World Health Organization declared COVID-19 a pandemic, we revisited the phishing trends we observed in the past year to gain deeper insight into the various COVID-related topics that attackers might try to exploit.

Starting with the set of all phishing URLs detected globally between January 2020 and February 2021, we generated sets of specific keywords (or phrases) that served as indicators for each COVID-related topic, and applied keyword matching to determine which phishing URLs were related to each topic. (To ensure that the matched URLs were indeed COVID-related, we iteratively spot-checked the resulting URLs and refined these keywords/phrases to minimize the incidence of false positives.)

We found that at each step along the way, attackers have continued to change their chosen tactics to adapt to the latest pandemic trends, in hopes that maintaining a timely sense of urgency will make it more likely for victims to give up their credentials.

We found phishing attacks largely centered around Personal Protective Equipment (PPE) and testing kits in March 2020, government stimulus programs from April through the summer 2020 (including a fake U.S. Trading Commission website that posed as the U.S. Federal Trade Commission in order to steal user credentials) and vaccines from late fall 2020 onward (including a fake Pfizer and BioNTech website also stealing user credentials). Of note, we found that vaccine-related phishing attacks rose by 530% from December 2020 to February 2021, and that phishing attacks relating to and/or targeting pharmacies and hospitals rose by 189% during that same timeframe.

Our analysis showed that Microsoft was the brand most targeted by attackers. For example, fake Microsoft pages were set up by attackers to steal credentials from employees at organizations such as Walgreens (US-based), Pharmascience (Canada-based), Glenmark Pharmaceuticals (India-based) and Junshi Biosciences (China-based).

We predict that as the vaccine rollout continues, phishing attacks related to vaccine distribution – including attacks targeting the healthcare and life sciences industries – will continue to rise worldwide.

Palo Alto Networks Next-Generation Firewall customers are protected from phishing attacks with a variety of security services, including URL Filtering, DNS Security, Threat Prevention and GlobalProtect.

In addition to these security services, best practices to protect yourself and your organization from phishing attacks include:

For individuals:

● Exercising caution when clicking on any links or attachments contained in suspicious emails, especially those relating to one’s account settings or personal information, or otherwise trying to convey a sense of urgency.

● Verifying the sender address for any suspicious emails in your inbox. ● Double-checking the URL and security certificate of each website before inputting your login credentials.

● Reporting suspected phishing attempts.

For organizations:

● Implementing security awareness training to improve employees’ ability to identify fraudulent emails

● Regularly backing up your organization’s data as a defense against ransomware attacks initiated via phishing emails.

● Enforcing multi-factor authentication on all business-related logins as an added layer of security.