As we move further into 2021, the landscape around COVID-19 has been changing more rapidly than ever. On nearly a daily basis, we receive updates about new processes, ease of restrictions and vaccine availability. All this change can be incredibly confusing and unsettling, and it’s the exact environment in which scam attempts are most effective. Unsurprisingly, enterprising cybercriminals are now taking advantage of vaccine availability to trick unsuspecting consumers into giving up personal data by utilizing vaccine phishing scams.
This vaccine scam can take multiple forms. One email variant appears to be coming from the National Health Services (NHS), and employs the typical phishing strategy of utilizing convincing branding to hook recipients. According to Forbes, many people have also reported receiving pretty compelling phone calls and text messages from scammers, who claim that the recipient is eligible for the vaccine and needs to provide personal information to receive their dose. Employing a more unusual method, some scammers have even created duped accounts on social media and used social messaging apps with embedded links to convince “friends” to submit information.
When a scam gains popularity and changes forms this quickly, it can be hard to know how to protect ourselves.
How can you distinguish real vaccine notices from vaccine phishing scams?
First, it’s important to be familiar with the legitimate forms of communication that reliable healthcare organizations use to relay information about vaccines and recognize how they differ from these phishing attempts. If you’re on the waitlist for a vaccine and your provider emails you directly about it, chances are the message is legitimate. On the other hand, it’s improbable that a person would receive a legitimate email about vaccine eligibility completely out of the blue. Hearkening back to a critical tenet of phishing prevention, always beware of any email you weren’t expecting to receive. Also, keep in mind that legitimate entities would never use social messaging apps or unsolicited phone calls to offer information about vaccines. They would also never request personal information over the phone – a classic sign of a voice phish.
Second, be mindful of the cadence and wording that is almost always unique to phishing messages. Urgent calls to action – often accompanied by threats or promises to encourage compliance – are telltale signs of a phish. In contrast, a trusted healthcare organization would be very unlikely to use that kind of tactic. This also applies to grammar or spelling errors, unusual phrasing, and lack of important information (such as address or phone number). It’s important to look critically at the content of these emails and ask yourself: does this seem like the kind of message this person – or organization – would write? Always trust your instincts. If something seems off, chances are something is off.
Thankfully, there is more you can do to protect your organization and employees against vaccine phishing scams. Anti-phishing training teaches employees about phishing and social engineering threats, so they know what to watch out for.