Security Experts:

Connect with us

Hi, what are you looking for?



Protecting Against Vaccine-Themed Attacks and Misinformation

COVID-19 Vaccine Scam and Misinformation

COVID-19 Vaccine Scam and Misinformation

Just before Christmas, the British Government became the first to approve a COVID-19 vaccine. Since that announcement, not only have several other vaccines been regulated for use, but the worldwide rollout is gaining momentum with other countries approving and accelerating populous vaccination programs.

Now that we can see a proactive rollout of the vaccine, hope has sparked amongst frontline workers, at-risk individuals and members of the public. Once again, it will become possible to see loved ones, travel, or even do simple things like pop out for coffee with friends. We can see the world beginning a journey toward the new normal.

However, the numerous steps involved with distribution and the heightened urgency around the vaccination program have also presented a target for bad actors. Its rollout offers an opportunity to make money. They recognize that people can be so excited about future possibilities that their mental cybersecurity checks could be overwhelmed.

Over the coming weeks, we must be vigilant as there will be a glut of activity and misinformation from cybercriminals wanting to disrupt the rollout or part people from their hard-earned money. With everything moving so fast, now is not the time to adopt new technology, or consider different ways of thinking, to stay ahead of these threats. Now is the time to simply consider a few tips that may prevent over-excitement and help us stay alert to potential threats. 

Advice for Businesses

Ransomware growth is the most expansive business threat, with incidents taking advantage of COVID messaging. That is why it’s increasingly important to keep an eye on what’s happening in the supply chain, as was proven by the damage caused by the attack on SolarWinds recently. Here are a few helpful tips to keep in mind to help ward off supply chain attacks:

• Keep up with education and awareness for staff, mindful that many were totally unprepared for remote working, so continued emphasis remains important.

• Watch over data, monitor usage closely. Who is accessing what data, from where, when, and using what device? If it’s not already in use, this is the time to enable multi-factor authentication tools and ensure that there are clear access policies communicated to staff.

• Keep technology up-to-date. Many organizations rolled out advanced threat tools in response to attacks launched at the start of the pandemic – now is an excellent time to review achievements and make sure that policies and training are up-to-date. Oh, and patch, patch, patch; whatever has been deployed must be kept up-to-date!

Advice for Individuals 

Whilst it’s good to have confidence in a business to keep our information safe, attackers will take advantage of any individual where there’s an opportunity. Most attacks have simply been adapted to take advantage of everyone wanting to be vaccinated as soon as possible.

A few approaches we can all look out for include:

• Phishing – sending fake emails. Not every country has approved every vaccine (in some cases none to date), and where there are programs in place, the distribution will be limited to ensure that those most at risk receive protection first. If you receive an email offering the vaccine as a ‘private’ option, delete it as a potentially dangerous fake. Always check the origination and links of seemingly official emails. 

• Smshing – sending fake text messages. Text messages offering the vaccine are clearly fake, but some offer the chance to make an appointment and are, in fact, harvesting personal data to resell. These can be harder to spot, but remember that an official text will never request bank account details, copies of personal documents or highly confidential information.

• Fake websites used to steal personal data. There have been thousands of sites spun up to offer vaccine services, but you can avoid being scammed by checking that the domain is valid. Official sites will use an exact domain name ending in a government suffix, for example, If the website name seems unusual – perhaps numbers and letters, or unreadable – then avoid.

• Queue-jumping opportunities. At this stage, the Coronavirus vaccine is typically provided at no direct cost to individuals, either via government-/centrally-funded or via insurance cover. If you receive an email, SMS, telephone call or even a knock at the door offering the chance to pay for a vaccination, turn it away. At best, you will be parted from cash; at worst, there have been cases of people paying for fake injections to be administered. 

Over the coming months, we will see more and more countries coming online to provide a vaccination program using the current and other validated vaccinations. In some countries, such as the US, these may be via insurance services, in others, such as Canada and much of Europe, it could be centrally funded. However, whichever route a country takes, the risks remain valid: Thousands of email and website scams waiting and wanting to take advantage of anxious and hopeful people.

Be VERY careful; if it looks fake delete it. You can always double-check with your healthcare provider so that legitimate communications are not overlooked.

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.