Internal Memo: ICF Next Used Promise of Employee Vaccinations as Phishing Test

By Erik Oster 

This story has been updated with a statement from ICF Next. 

Employees of a Virginia marketing agency recently got news that was literally too good to be true: they’d be receiving free Covid-19 vaccines thanks to a partnership between their employer and CVS Pharmacy.

The offer, however, wasn’t real. In fact, it was a phishing attempt—one sent with the agency’s approval by a third party to test whether agency staffers would fall for such a scheme

According to emails obtained by AgencySpy, Fairfax-based ICF Next used a third party to send out an email to U.S.-based employees and contractors announcing that it would be partnering with CVS Pharmacy to offer free vaccines to all employees, beginning March 18.

“We have procured enough doses for the entire US-based staff but it won’t all be available at once,” the email stated, suggesting an immediacy to apply for the opportunity. The email went on to communicate that scheduling preference would be given to those with “a work-related need to return to the office or other in-person work locations.” It offered a link to determine current eligibility and advised employees to contact human resources with any questions.

ICF Next provided the following statement late last night following publication of this story yesterday:

This email was part of a routine program we run to keep our people and networks safe from attacks. Phishing and malware attackers are now using sensitive topics more and more to draw people in. However, putting the matter of safety aside, we recognize that the use of sensitive topics can lead to an emotional response. We will certainly keep this in mind moving forward and will review the third party we use to manage this program.

Here’s the initial email in full:

US-based ICF Employees and Contractors,

Great News!!!

We are pleased to announce that ICF, in cooperation with CVS pharmacies, will be offering Covid-19 vaccinations to employees beginning March 18.

We have procured enough doses for the entire US-based staff but it won’t all be available at once.  Therefore scheduling preference will be given to those with a work-related need to return to the office or to other in-person work locations such as client sites and data centers.  There will be no charge for employees;  contractors will need to consult their insurance provider to determine charges.  Those who have already had at least a first dose should not register through this site – please continue to use your state’s vaccination website to complete your second dose.

Use the link below to determine your eligibility and schedule an appointment.

Vaccine Pre-Registration  (link to click thru)

Please contact Human Resources with any questions.

Thank you,
ICF Human Resources

According to the anonymous source who sent the tip to AgencySpy, employees were, predictably, upset by the approach to cyber security. A response email from unspecified person in leadership, also shared with AgencySpy, explained that the phishing email was sent by a third party contracted to test such scenarios.

“While the topic may be perceived as insensitive, that was not the intent,” the email continued, acknowledging that such an approach “might have been especially disheartening, given the significant impact and stress the pandemic has had on so many of our lives.”

Notably the response did not include an apology, instead choosing to highlight the need to “stay vigilant in order to protect ourselves from the bad actors who often take advantage of situations like this,” while using the fact that 30% of the 430 employees who received the email clicked on the link as evidence of that employees need to be better educated about such phishing efforts. The email concluded with links to a series of articles its sender said “will hopefully help you and your teams understand why this is important” and welcoming questions. We have a few.

Here’s the response email:

Leaders,

Some of you may have recently received a phishing email that announced a vaccination rollout for ICF employees. This email was sent by a third party that ICF has hired to run campaigns to test these types of scenarios. While the topic may be perceived as insensitive, that was not the intent. I understand why it might have been especially disheartening, given the significant impact and stress the pandemic has had on so many of our lives. However, during this time, it is important that we stay vigilant in order to protect ourselves from the bad actors who often take advantage of situations like this.

For context, 430 employees across ICF received the message and 30% clicked on the link. This indicates that we can do more to educate ourselves. I’m sharing a few additional articles below that will hopefully help you and your teams understand why this is important.

Phishing in the Time of COVID-19: How to Recognize Malicious Coronavirus Phishing Scams | Electronic Frontier Foundation (eff.org)
COVID-19-Related Phone Scams and Phishing Attacks | CDC Online Newsroom | CDC
Phishing attacks escalated by 26 percent post-release of COVID-19 vaccines: Report- Technology News, Firstpost
Beware! COVID-19 Vaccine-related Phishing Scams on Rise (eccouncil.org)

Please feel free to reach out with any questions.

 

 

Advertisement
Advertisement