How to Not Fall Victim to COVID-19 Vaccine Phishing Attacks


By Tim Sadler, CEO of Tessian

Throughout the Covid-19 pandemic, cybercriminals have capitalized on key moments and the latest updates. We’ve seen hackers impersonate governmental departments, healthcare organizations, and charities, often in phishing attacks designed to lure unsuspecting victims into wiring money or sharing account details and confidential data.

One such scam saw cybercriminals sending text messages to their victims, purporting to come from the NHS’s Track and Trace System. The messages suggested that the individual had been in contact with someone who had tested positive for the virus and urged them to click a link. Those that clicked would be directed to a false website, registered under a realistic domain name, and designed to harvest the credentials a person enters.

Given a hacker’s modus operandi, it’s perhaps unsurprising that cybercriminals are now finding ways to cash in on the Covid-19 vaccine rollout.

Why? Because the uncertainty surrounding the vaccine – how to get it, when to it, and who will get one next – combined with the public desire to get ‘back to normal’ has created a perfect storm for convincing phishing scams.

In fact, researchers at Tessian found that nearly 2,700 new website domains related to the Covid-19 vaccine were registered between 5 December 2020 and 10 January 2021. This is important because scammers will often register new domains to lure people to a page after they’ve clicked a link in a phishing email.

And Tessian’s researchers confirmed that a number of these newly registered domains are malicious.

For example, some contain online forms designed to harvest financial or healthcare information, while Tessian noted that others impersonate an Office 365 or Apple ID page and prompt individuals to share their username and password so that hackers could steal people’s account credentials.

Tessian researchers also found that almost one quarter (25%) of the newly registered domains also use a technique called ‘typosquatting’ – where one or two letters of a word in the domain name are changed, in the hope that people make mistakes when typing in the website or simply miss the typo in the URL bar.

From a business perspective, receiving vaccine scams on personal email accounts could pose a number of risks. Tessian, last year, found that the majority of UK and US employees (58%) are working on their personal devices as a result of remote working arrangements. Should they accidentally download malware onto their devices, after receiving a phishing email on their personal device, hackers could access company data that the employee has access to or even infiltrate the corporate network. Hacking humans is the easiest way for cybercriminals to hack organizations.

Another big concern surrounding vaccine phishing scams is how hackers will target older generations – those at the top of the list for the vaccine. Another Tessian report found that people over 55 years old were the least likely to know what a phishing email was. This is particularly concerning as millions of over-50s await confirmation of the first vaccination and millions more await confirmation of the appointment for their second jab. People, therefore, need to be wary of phishing scams that have been designed to trick victims into scheduling a fake second appointment.

So what do you need to look out for to avoid falling victim to this new wave of phishing scams? Be skeptical of emails, websites, or text messages that request payment or personal information at this time, and reach out to vulnerable friends or relatives who might not be aware of these emerging threats.

Before entering personal details into a website, too, always check whether the domain is secure by looking at whether the URL uses a secure web transfer protocol (HTTPS) rather than a standard one (HTTP). Just look for the padlock in the URL bar.

Lastly, adopt an “if it doesn’t look right, it probably isn’t” mindset. Sophisticated scammers often won’t make typos and they will design scam emails to look like they’ve come from a trusted source. Inspect the sender’s email address by clicking the sender’s name and ask yourself whether you’d normally be asked to share this information. Remember, the NHS will never ask you for your bank account or card details, your banking PIN, or copies of personal documents to prove your identity.


Tim Sadler is Co-founder & CEO of Tessian, a cybersecurity company that stops threats, not business, by securing the human layer.


Follow Brilliance Security Magazine on Twitter, Facebook, and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.