How I almost fell for a COVID vaccine scam

The latest wave of social engineering attacks related to the pandemic are sophisticated, widespread and convincing - and I was nearly taken in

It's the evening. You've just finished a day at work you're sitting on the sofa to wind down. Your phone pings with an email and, surprise, it's news of your upcoming coronavirus vaccine. Great! But you're concerned - you've heard that there are scammers trying to take advantage of people during the pandemic. No worries though, the email looks genuine - it even has some public health information addressing concerns about the vaccine, and comes from an NHS email address. So you click the link.

This - minus the final link click - was my experience. I'd have been more suspicious if I hadn't been a member of an 'at-risk' category, but as a type 1 diabetic I knew I was likely to get the vaccine earlier rather than later - and the email was extremely convincing.

Attacks leveraging fears around coronavirus have risen dramatically over the course of the pandemic. Security firm Proofpoint says that almost every social engineering attack it logged in 2020 played on those concerns in some way, and Citizens Advice found that nearly 40 per cent of the 2,000 people it surveyed had been targeted by scammers. Last year, many of these revolved around fake cures and infection warnings, but the 2021 vaccine rollout has given cyber criminals a new message to exploit.

Below is the email I received, in three parts. Let's have a look.

There are two errors here that throw up red flags.

Number one: although I'm technically vulnerable, my category isn't due to receive the vaccine until February or March, according to the various coronavirus vaccine calculators.

Number two: the message claims to be from '[email protected]', which is part of the sender's actual username - all that's displayed on mobile devices by default. I needed to click the sender's name, or look at the email on a PC, to reveal the real culprit: a .jp address. That's not at all apparent when reading it on a smartphone.

The third error is also not obvious on a mobile device: the 'Accept invitation' and 'Reject invitation' links go to the same page (not repeated here, for obvious reasons), and it's a non-NHS website - which Chrome also flagged as untrustworthy.

Note the hands-off approach to booking a vaccine. There's no pressure on the recipient, other than the 12-hour reply requirement - nothing to make you think the sender is anything but an automated service, leaving the choice of whether to click the link wholly in your hands. It's a significant departure from more common approaches to phishing emails, where the attacker will try everything in their power to get you to follow through.

Last but not least is this section, which uses the widely available information about vaccines to add a touch of authenticity to the message. It's meant to be there to reassure you this is an NHS email, but the text (and associated American spelling) has been copied from the WHO website - not an NHS one.

While these seem like obvious red flags, the average user could easily be taken in. The email goes to great lengths to look official, including genuine information about the coronavirus vaccine and vaccines in general, and adopting a laissez-faire approach to whether the recipient accepts the invitation or not. The reference to 'family genetics and medical history' gives the criminals an excuse to email just about everyone in the country.

After receiving the email, I spoke to Phil Booth, coordinator at medConfidential - which campaigns for confidentiality and consent in health and social care - who told me:

"There is a lot of understandable confusion and fear at present and, combined with somewhat confusing public messaging, unfortunately criminals are going to take advantage of that. What people can do is ensure that their family members and friends are aware of these scams - thinking partucularly of the most vulnerable - and to get them to check with themselves, if they are contacted by someone out of the blue.

"It should be possible, given the information published by the NHS, to spot a scam, but we're going to have to help each other in order to prevent those most at risk of harm from being caught up in this terrible business."

He has also tweeted advice for people who receive similar emails.

Remember that the NHS will never ask for personal information like your passport, driving licence or bank details. NHS England has produced guidance around COVID-19 scams, and NHS Digital has a page dedicated to phishing emails.

If you receive a fake SMS or email, report it to [email protected].