New COVID-19 Vaccine Scam


New COVID-19 Vaccine Scam


As infection rates continue to climb in the weeks preceding the holidays, those interested in the COVID-19 vaccine are left wondering when it’ll be openly available for all to receive. But as vaccine manufacturers, such as Pfizer, BioNTech, and Moderna, do their best to meet this nation-wide demand, cybercriminals have quickly begun to capitalize on the public’s desperation and confusion.

Adapting Scams to Current Issues

Back in March and April  of 2020, the initial spike in Coronavirus infections provided hackers with the perfect opportunity to launch an array of phishing campaigns. Most notably, fraudulent emails appearing to be from major health organizations enticed recipients to click on links to view maps that depicted the virus’s spread across the world. When clicked, these links secretly installed malware onto the individual’s device; inevitably resulting in a breach of privacy and potentially a loss of funds.

Soon after, as we moved into the summer season, the month of May and interest in the first round of stimulus checks gave scammers a new way to con unsuspecting victims. Rather than posing as health organizations, hackers were given an opportunity to play the fraudulent role of large financial institutions, such as the IRS.

But no matter what mask a hacker chooses to wear, the goal for many COVID-19 scams remains the same. Cybercriminals want your information and your money; and there’s no denying they’ve created some cleaver ways of getting  it.

COVID-19 Vaccine Phishing

So now, as the United States slowly moves towards a nationwide vaccination, hackers have already begun to prey on  individuals that want to know when the vaccine will be openly available, if it’s safe, and how much it will cost. As a result, between October and November of 2020, nearly 1,250 new website domains containing the words “COVID-19 Vaccine” were created; hinting that hackers were making the initial moves to strike when legitimate vaccines were nearing approval.

In turn, the first recorded vaccine phishing campaign hit the inboxes of individuals around the world in December 2020. In this attack, cybercriminals attempted to capitalize on the confusion and fear of recipients, with messages stating that vaccines were in high demand and stocks were low. When the link housed within this email was clicked, recipients were directed towards a login page, where personal credentials could be entered to solidify their place in a fake waiting queue.

Google Form Phishing

But the ability to determine the legitimacy of an email and its supplemental hyperlinks is no easy matter and it’s only getting harder. In recent months, hackers have begun using trusted services, such as Google Forms, to capture and sell the stolen credentials of unsuspecting victims around the world. In 2020, 265 fraudulent Google Forms were deployed; with many designed to appear as the login pages of reputable brands, such as AOL, AT&T, Yahoo, and Microsoft.

Now, as many local healthcare organizations have begun using services such as Google Forms and Jot Forms as valid methods to register for vaccinations, what’s to say hackers couldn’t simplify their tactics and take a similar approach? After all, these services are free to use and take only minutes to set up. Because of this, it’s crucial to remain vigilant, should one of these forms inevitably end up in your inbox.

Signs of COVID-19 Vaccine Scams

So, what are some indicators you can look for when attempting to determine the legitimacy of vaccine-related emails and online forms you may ask? Here are a few topics the FBI has pinpointed as indicators of fraudulent activity.

  • Advertisements for early access to vaccines based upon submission of deposit fees
    • No third parties have been approved to advertise vaccines online
  • Vaccine waiting list sign up forms that require upfront payment
    • Remember that scammers thrive on creating a sense of fear and urgency in victims
  • Unsolicited emails from medical offices, insurance companies, or vaccine centers requesting information for eligibility
    • Even if the email looks professional, remain wary and call the organization prior to submitting any documents.
  • Links or attachments promising information on FDA approval of new vaccines
  • Offers to ship the vaccine in exchange for payment

How to Sign Up for the COVID-19 Vaccine

As more phishing emails send individuals to fake vaccine sign-up pages, it’s important to do some investigating to ensure the pages you visit  are legitimate. Rather than clicking directly on the link provided in the email, do a quick Google search to find health organizations in your immediate area that are offering vaccines to front-line workers and individuals over the age of 65. With Rocket IT and many of its clients being in Metro Atlanta, here’s a few sign-up forms for Georgia residents.

Georgia Department of Public Health

Fulton County Board of Health

Gwinnett Newton Rockdale County Health Departments

Gwinnett Clinic

How to Protect Yourself from COVID-19 Vaccine Phishing

When you click a phishing email, you not only put yourself at risk, you also place your local network, contact list, and employer in jeopardy as well. Similarly, businesses that have yet to implement company-wide training and testing on the subject may also find their assets at risk, as a single click can result in the loss of productivity and revenue for the entire organization. And while technology, such as application whitelisting, enhanced spam filters, and next-generation anti-virus, serve to protect a business’s team, they’re no match against the initial phases of a phishing attack.

Because many scammers rely heavily upon social engineering and continuously changing  tactics, individuals must be trained to spot a phishing email the moment it hits their inbox. Through Rocket IT’s security awareness training, teams can begin to understand current phishing threats and how to spot them. These training sessions go over new email spoofing techniques, how to detect fake URL links, and grammatical errors to look for when reviewing an email’s content.

Once the initial training is complete, regular phishing testing can be used to detect any vulnerabilities within the organization. Rocket IT conducts training that sends out harmless, simulated phishing emails. It then tracks the number of individuals that took the bait and clicked the email; allowing organizations to effectively train and hopefully prevent future attacks. For more information on company-wide security training and phishing testing, give Rocket IT a call at 770-441-2520.

Posted in ,