Sign in

The COVID-19 Vaccine Phishing Campaigns are Here

By: Lisa Marlin

December 15, 2020


The COVID-19 vaccines began arriving in U.S. hospitals this week. For real. You can schedule an appointment for your first dose by clicking on the link in an email you received today. Not for real.

As expected, the phishing campaigns are in full force, with an increase in suspicious texts or emails claiming to have information about the vaccine in exchange for personal information.

One vaccine-themed phishing email that has been reported uses the very kind of social engineering scheme that has been anticipated. According to KnowB4 CEO Stu Sjouwerman, this email appears to be trying to exploit a very recent report in The Washington Post that Pfizer may not be able to supply additional doses of its vaccine to the United States in large volumes until sometime in Q2. The email entices readers to find out when the vaccine will be available to them, if it will be safe, how much it will cost, etc.

While most organizations are hit by phishing randomly with your business email addresses being part of a large bulk list, other times an organization may be specifically targeted by a hacker. While targeted spear phishing attacks are far less common, they are harder to defend against.

Government agencies have issued warnings and statements about this latest round of attacks. The FBI is fielding complaints of scammers using the public’s interest in the vaccines to obtain personally identifiable information and payment through these various schemes.

The Better Business Bureau is reminding everyone that when the vaccine is available to the general public to only trust information from their own doctors and local health departments. “Watch out for phishing messages attempting to trick you into sharing your passwords and personal information,” the BBB release stated.

The warning never gets old; we have shared similar advice here and offer up some reminders to help keep your organization and employees safe.

  • Remind users to slow down when going through their email inboxes.
  • Train users to check each email for the tell-tale signs of a spoofed email:
    • Review reply address to make sure it is valid.
    • Hover over all links to make sure they are valid.
    • The URL should also begin with “https,” which indicates the site is secure.
  • Instruct users to forward all suspicious emails to your IT department for confirmation on legitimacy of the email.
  • Test users with regular phishing tests to make sure they are paying attention and not falling for phishing schemes.

Contact the experts at PrivaPlan to learn more about phishing tests and all the services we provide at info@privaplan.com or call 877-218-7707.