In June 2020, we wrote about the ‘latest’ COVID-19 scams and how to spot them, back then we were easing out of the first(!) lockdown and there was hope that the pandemic was coming to an end. Who would have thought 8 months down the line, that COVID would still be so prevalent and that cyber criminals would still be using it as topic of phishing attacks. But here we are. The latest phishing campaign targets a hot topic at the moment, the COVID-19 vaccination.
What does it look like?
It has been reported that there are phishing emails being received that claim to be from the NHS, informing readers they are eligible for the COVID-19 vaccination. As with many phish threats there are multiple variants of the email, but all claim to be from the NHS at firstname.lastname@example.org (NHS domain is www.nhs.uk) with common subject lines being: “IMPORTANT- Public Health Message | Decide whether you want to be vaccinated” or “Booking for vaccination no. XXXX…”.
Recipients are then asked to click one of two links to either accept the invitation or decline the invitation. Whilst many of us know to be wary of clicking links in an email, if you’re in the group that’s due to be vaccinated you could be forgiven for fallen for this one.
If you click on either link in the email you are directed to an NHS branded website asking you again to accept or reject the invitation for vaccination. Regardless of which is selected the visitor is then directed to a questionnaire requesting a series of personal information including credit card and banking information (suspicious when the vaccine is free!).
Once the information has been submitted you will be redirected to the real NHS site, like nothing happened. Nothing to tell you your personal data is now in the hands of a cyber criminal, until it’s too late.
How will the NHS contact you?
In response to this threat the NHS have published a web page explaining how you will be contacted when you are invited for the vaccination. Whilst they could still contact you via email the key things to remember are:
The NHS will never ask for:
- Your bank account or card details
- Your pin or banking password
- Copies of personal documents to prove your identity such as your passport, driving licence, bills, etc.
Stop and think
Scams like these adapt and evolve every day and it’s likely that there will be more COVID based scams in the future. These could include, phishing emails about second vaccinations or compensation for working from home. The key message is to stay alert, particularly if asked to hand over personal information in the form of identification or banking information.