Phishing scams use the promise of COVID-19 vaccines to trick you

Texts, emails and ads for bogus coronavirus vaccines may dog you. They're not legitimate.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read

Vaccines offered through unexpected texts, emails or phone calls? Don't fall for it.

Getty Images

As we all hope for an end to the coronavirus pandemic, many people are understandably focused on the COVID-19 vaccine. Scammers know that. And while you're dreaming about hugging loved ones, going to concerts or just feeling safe inside a grocery store, they're busy crafting vaccine-related phishing campaigns to trick you into handing over personal information, money or access to your device.

Last month, the FBI issued a warning urging people to be cautious when opening emails and texts from unknown senders who promise information on getting a vaccine. So did the Financial Crimes Enforcement Network, a division of the US Treasury Department. Police in Florida, the UK and other jurisdictions say they're seeing the scams pop up, too. In the English county of Derbyshire, law enforcement officials say scammers sent out texts with links to a site that painstakingly imitated the look of UK's National Health Service. The goal was to steal personal and financial information, authorities said.

Scammers are also buying ads offering to sell vaccines directly to internet users. They likely just want to steal your credit card information, but even if they did send out something purporting to be a vaccine, it would be extremely dangerous.

Online scammers have for years used crises and major events to con people. The pandemic has created an appealing situation because the entire world is aware of the disease and the hardship it's caused in everyone's lives. From a criminal's perspective, it's a great opportunity to get lots of people to act against their better judgment. Scammers seized on this opportunity as soon as the pandemic took hold, offering snake oil cures that never materialized in exchange for credit card numbers or hacking their target's computers.

Now vaccines give scammers another lure for their targets.

"These attacks prey on our desire for information in times of uncertainty," said Tony Pepper, CEO of cybersecurity firm Egress. The scams, Egress says, can be "incredibly convincing," particularly to older people, who are at the top of lists for getting vaccines and may be waiting to hear from medical authorities.

Setting up a scam

As early as November, researchers at cybersecurity firm Check Point noticed a significant increase in website domain names that reference vaccines. Scammers typically register a new domain name related to their con when setting up a phishing campaign, to serve as a place to lure their targets.

The websites may contain legitimate-looking web forms meant to steal payment or health care information, or they might host malicious software that installs on your device when you visit. Malicious software, or malware, can leave you vulnerable to ransomware attacks, pop-up ads that make your device unusable and other intrusive attacks from hackers.

You'll typically encounter a vaccine scam by way of a compelling message designed to get you to respond. The Check Point researchers have found emails with subject lines including "pfizer's Covid vaccine: 11 things you need to know." That message contained a malicious file that would've infected recipients' computers with malware if opened.

Fraudulent ads for vaccines

If you search online for information about vaccines, you might later see ads on various websites for vaccine doses you can order online. Scammers buy these ads because they know you're interested in vaccines, just as legitimate retailers might show you rain-boot ads for days after you search for wet-weather gear.

The vaccine ads are another scam meant to collect your financial information. Researchers at fraud detection firm Bolster found an ad claiming to sell the Sinovac vaccine from China, but the business was clearly fraudulent. Registered in Panama, the website listed phone numbers shared by other businesses, including a waterless car wash service and a talent management agency.

Even if the company sent something claiming to be a vaccine, direct sales of the real COVID-19 vaccine are nearly impossible because of how costly it is to maintain the right cold temperature range for the package at all times.

Avoiding vaccine-related fraud

The FBI urges people to be wary of any email, text message or phone call that comes from a sender you don't recognize and offers information about the coronavirus vaccine. As with any message from an unknown sender, don't click, download or share your password. Get your information about vaccines from official sources, like state and local health departments, the Food and Drug Administration and your doctor.

Next, be mindful that your health information can also be used for medical identity theft. Give out your insurance or health information only to professionals you know and trust, and monitor your insurance claims to make sure no one else is using your health insurance. What's more, don't trust strangers who send unsolicited messages offering Medicare benefits, coronavirus tests or vaccines in exchange for your personal data, including your Medicare information. According to the US Department of Health and Human Services, that's another scam that's become common in the pandemic.

Finally, whatever you do, don't inject vaccines bought on the internet.