Security experts are warning of a new COVID-19 vaccine phishing scam, this time using NHS-branded emails to trick users into handing over their personal and financial details.
The latest campaign informs recipients they have been selected for a jab based on family and medical history, using the trusted brand of the Health Service and the promise of protection from the deadly virus to socially engineer victims.
Information including name, date of birth and credit card details handed over by any unsuspecting recipients can then be sold on the dark web and/or used in follow-on fraud, according to Mimecast.
The email security company claimed that the threat actor behind the campaign has ramped up email volumes by 350% on their usual levels, to take advantage of widespread public awareness of the national NHS vaccination effort.
Head of e-crime at the vendor, Carl Wearn, argued that the pandemic is forcing organized crime groups to find new ways to make money.
“The majority of online scams rely on some form of human error, as it is far easier to compromise a single user than a whole system. Threat actors know this well and are continuing to exploit the human factor by tailoring scams to target current events and the fears of their victims,” he added.
“Cyber-criminals are clever and continuously adapting their tactics. Don’t click on suspicious links and never open unexpected email attachments. If you are concerned about whether vaccine information is legitimate, call your GP or take an independent route to check the website.”
The current campaign is just the latest in a long line of COVID-themed phishing threats. Early last year the majority were news updates spoofed to appear as if sent by official sources like the World Health Organization (WHO), but increasingly the focus today is on vaccine-themed campaigns.
In April last year, Google claimed to be blocking over 240 million COVID-themed spam messages each day, and 18 million malware and phishing emails.