Be warned: COVID-19 vaccine scams are now appearing online, over text, and by email

With millions of us waiting for our place in the vaccine queue, criminals are already trying to cash in.

2020 was a year many of us would like to forget, and as 2021 entered with little of the fanfare usually associated with New Year's Eve celebrations, the challenge of the COVID-19 pandemic, still, is far from over. 

Despite surging infection rates worldwide and fresh outbreaks, however, there is hope that vaccines recently approved in some countries, such as the Oxford/AstraZeneca and Pfizer-BioNTech variants, will begin to turn the tide. 

While we wait with impatience to have our pre-COVID-19 lives and 'normality' restored, our place in the vaccine queue depends on a number of factors that vary from country to country: for example, the UK has chosen to vaccinate the highest-risk groups, first, such as the elderly, alongside frontline healthcare workers. 

In Britain, the situation could be best described as confused; letters have been sent to some individuals -- but not all in each "group" -- informing them that they will be told when their place in the queue comes up, and some appointments for second doses have been canceled in order to provide first-dose protection to as many individuals as possible. 

There is now a rising sense of urgency due to the new COVID-19 variant that appears to be more easily transmitted. Mass vaccination is no easy task, especially when two separate doses are required -- and when you combine millions of people desperately waiting for news and confusion in how vaccine programs are being operated, this becomes a situation that cybercriminals can exploit. 

Over the past few weeks, scammers and other threat actors have launched their own programs: not for public health, but to steal personal information, conduct identity theft, scam victims, and all with the potential for criminal financial gain. 

In December, Interpol warned that law enforcement should be prepared to deal with COVID-19-related scams and cybercrime over the coming months. 

"Criminal networks will also be targeting unsuspecting members of the public via fake websites and false cures, which could pose a significant risk to their health, even their lives," commented Jürgen Stock, Interpol Secretary-General. "It is essential that law enforcement is as prepared as possible for what will be an onslaught of all types of criminal activity linked to the COVID-19 vaccine, which is why Interpol has issued this global warning."

Only four weeks after this alert was issued, Interpol's scenarios have already come to pass, with both the general public and vaccine supply chains as top targets. 

What scams are out there?

Fake products

The worst is fake vaccines being offered for sale online, which could have a severe detrimental impact on buyer health. Check Point researchers found "coronavirus vaccines" and "coronavirus remedies" for sale through forum posts connected to the Dark Web. Vendors claiming to have access to unspecified COVID-19 vaccines are requesting up to $300 in cryptocurrency. 

Check Point has also recorded thousands of new website domains recently registered with phrases including "vaccine" and "corona". In a related study, Interpol found that out of a sample of 3,000 websites appearing to be selling dubious medicines and medical devices, roughly 1,700 contained threats including phishing code and malware.

Phishing emails

Sending out fraudulent emails can be performed automatically and with very little effort on the part of cyberattackers and fraudsters. Coronavirus-related phishing emails were in high circulation over 2020 and show no signs of stopping -- except, now, some campaigns have pivoted to vaccines as their subject. 

In some cases, fraudsters will ask recipients to go to a website and fill out a form to secure their place in a 'vaccine queue.' Information including names, addresses, Social Security numbers, dates of birth, and potentially medical data may be requested -- all of which is Personally Identifiable Information (PII) that could be used to further more elaborate scams and social engineering attacks. 

It is also possible that cybercriminals will ask for payment to 'register' with fake vaccine programs.

The Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO) are now commonly impersonated in phishing emails. You may expect fraudsters to now also impersonate local medical providers and government entities.

Malvertising 

If you see any advertisements online related to the COVID-19 outbreak or vaccine which does not come from official sources -- such as healthcare providers, government domains, or hubs such as Facebook's COVID-19 Help Center which only provides data from official sources -- you should ignore them outright. 

Adverts like this may lead you to fraudulent websites in order to steal PII, financial data, or deploy malware on your PC. 

At present, vaccines are not being offered privately. Simply put, you cannot purchase a COVID-19 vaccine online in the same way that you can book a flu jab, and any advert or message telling you otherwise is fraudulent. 

Text messages

COVID-19-related fraudulent texts have begun making the rounds, with messages claiming that government officials require you to take an "online coronavirus test," as reported by the Better Business Bureau. Government officials are also being impersonated, and in some samples, criminals are also trying to hook victims by sending SMS messages related to stimulus checks and IRS/tax payments. 

In the UK, the National Cyber Security Centre (NCSC) has warned (.PDF) of four main SMS scams: 

  • Fake government URLs that must be visited to claim coronavirus-related payments
  • Lockdown fine notices for breaching stay-at-home rules
  • Offers of health supplements to protect you against COVID-19
  • Financial support offers that appear to be from your bank

An SMS-based scam is also in circulation in which messages claim to be from the UK National Health Service (NHS). Recipients are told they have been identified as "eligible to apply for [a] vaccine," and a link then leads victims to a convincing, but fake, NHS website requesting sensitive personal information.

Over the phone

While, perhaps, not as common, some scam artists are cold calling victims directly. In recent cases, the COVID-19 vaccine has been offered by fraudsters over the phone, in which victims are asked to press a number on their keypad to confirm that they wish to have a vaccine -- or bank details are asked for directly. 

Information such as telephone numbers, names, dates of birth, and home addresses that has already leaked online may be used by criminals to appear more authentic when they call. 

How do I stay safe from COVID-19 scams?

The first and most important point is to never purchase medical equipment or treatments from unofficial, untrusted sources. Cybercriminals don't care what sales vector has to be used to make a dollar or two -- including exploiting demand for potentially life-saving vaccines -- and there is no proof or guarantee chemical products bought online from third-parties are genuine or safe. 

You should also treat any request for PII, whether made over the phone, via text, or email, very carefully. If there is a shred of doubt that this is genuine -- and it is likely to be a scam when communicated in these ways -- you should give nothing over. Instead, directly email or phone your local provider, or check official websites for the latest information. 

Lastly, be wary of clicking links or downloading attachments in unsolicited messages and remember to take a breath before responding to any form of message that tries to elicit panic -- such as a claimed vaccine shortage or time-based offer. Grammatical errors, too, are often a red flag for scams.