Beware COVID Vaccine Phishing Scams

What a remarkable world we live in. Less than 10 months after COVID-19 began wreaking its havoc on the global community, vaccines are now rolling out at record pace. Fingers crossed – the coming weeks will begin to bring relief and folks will start to gain a sense of safety as they increasingly reengage in their environments. Yet there is a substantial threat preying upon the weary but hopeful masses. COVID vaccine phishing scams are burgeoning nearly as prolifically as the virus itself did earlier this year, and bad actors are on the offensive in their bid to hijack, infect and otherwise exploit innocent victims.

COVID VACCINE PHISHING IS BIG BUSINESS  Tim Mackey, a professor and lead author of a scam-related study released by UC San Diego School of Medicine, said, "COVID is a scammers bonanza. You cannot be a scammer and not be in the COVID scam business. Like, this is your time to shine." The vastness and variety of vaccine phishing scams truly are jaw-dropping and new threats are emerging daily. Just last week, the Federal Trade Commission warned consumers to be on the lookout for scams and schemes related to vaccine distribution. Check Point Research recently identified one such scam in which a user receives a seemingly informative email with the subject line: “Pfizer’s Covid vaccine: 11 things you need to know” but includes a malicious executable file called “Covid-19 vaccine brief summary.” This file is called an RAT (Remote Access Trojan) and is designed to infiltrate, monitor and steal all kinds of data from the victim including keyboard strokes, clipboard data, and software credentials. These trojans pose a devastating threat to the functionality of victims’ systems, the safety of their data and, perhaps most pressing, the security of their bank accounts. All very scary stuff. COVID related scams are actually nothing new – the first ones trace all the way back to March of 2020. But while researchers were painstakingly working toward a vaccine over these past months, scammers and hackers were working on a plan of their own, albeit a nefarious one – how to leverage people’s fears and hopes to line their own pockets with ill-gotten gains. Many of these COVID vaccine phishing scams use fear and uncertainty to spur people to act. Click bait verbiage like “Reserve your vaccine before it runs out” will either trigger malware installation or require you to enter your credit card information to secure a vaccine order. And rather than just being out the $100 you put down for the fraudulent vaccine, more likely you will find your credit card maxed out or your bank account cleared. Email COVID vaccine phishing scams will clearly be the most prevalent due to grandness of scale, but consumers should also expect a full court press from COVID scammers including exploitive texts, phone calls and even knocks at their front door.

IMPORTANT TAKEAWAYS  Most all phishing scams use scare tactics to urge action. Be sure to read our upcoming article on “The Telltale Signs of a Phishing Scam.”  The following is a quick list of Don’ts: Don’t click on any link in an email. Ever. Never supply anyone with your social security or credit card number or other personal information. If you think the email might be legitimate, still don’t click. Instead, contact your healthcare provider or healthcare authority in your state. It is also imperative that you understand:  You do not need to put your name on a list for the vaccine. You will not be asked to pay in advance (and perhaps not at all) for the vaccine. You will not legitimately be offered “early access” to the vaccine. Nobody related to legitimate vaccine distribution will ask for your social security number, credit card number or bank account information. Nobody related to COVID vaccine distribution will ask to gain access to your computer.

WHAT TO DO IF YOU FALL PREY TO SCAMMERS  Realizing you have been duped by a COVID vaccine phishing scam is a humbling and scary experience. But time is truly of the essence when dealing with bad actors infiltrating your bank accounts and personal information, so it is crucial you act swiftly to the threat.  Here is what you should do immediately: First, call your bank or credit card company directly and inform them of the security breach. If you have given someone access to control your computer remotely, immediately shut it down using the power button. Contact a computer solutions or cybersecurity company for threat detection, data recovery, antimalware installation and any related performance issues. If you are on a business computer, contact your help desk or computer support person immediately. File a complaint with your State Attorney General at www.consumerresources.org. If you provided hackers with your social security number, contact the Federal Trade Commission at www.identitytheft.gov to report it. You can also call 1-877-IDTHEFT (1-877-438-4338).

KNOWLEDGE IS POWER  Most of us have spent the better part of 2020 educating ourselves on COVID-19 and virus-related safety measures. We have collectively become smarter and more informed on how to combat this existential threat to mankind. My hope as a cybersecurity professional is that the public better learns to recognize and defend themselves against formidable online dangers as well. Because there will never be a vaccine that prevents bad people from doing bad things. Stig Ravdal is the President & Founder of Ravdal, Inc., a leading cybersecurity company. He is an expert in the fields of cybersecurity strategy and technology solutions, and is available for speaking engagements.