FBI, HHS Alert to COVID-19 Vaccine Fraud Schemes Aimed at Data Theft

December 30, 2020 - All private sector organizations should be on the alert for fraud schemes tied to the COVID-19 vaccine, as multiple complaints have been received by the Department of Health and Human Services Office of the Inspector General, Centers for Medicare and Medicaid Services, and the FBI.

The alert follows a KnowBe4 report that found hackers launched a phishing campaign leveraging COVID-19 themes.

According to the federal agency alert, several fraud schemes have emerged, as vaccines rollouts have begun across the country. Scammers are leveraging these campaigns to steal personally identifiable information and for financial gain.

Organizations should keep an eye out for potential indicators of fraudulent activities and inform workforce members to be on alert, as well.

These schemes include advertisements or offers for early access to vaccines upon a deposit or monetary fee, as well as requests asking users for out-of-pocket payment to obtain a vaccine or to put their name onto a waiting list to receive a COVID-19 vaccine.

Further techniques include scam marketers offering to sell or ship vaccine doses in exchange for a monetary fee, along with claims that FDA approval for a vaccine cannot be verified. Threat actors are also posting malicious advertisements for vaccines on social media sites, phishing emails, telephone calls, websites, and through unsolicited or unknown sources.

Scammers are also sending unsolicited emails, calls, or other means to personally contact individuals and claiming to be from an insurance company, medical office, or even a COVID-19 vaccine center, then requesting personal information and or medical details to determine whether the individual is eligible to receive the vaccine or join a clinical vaccine trial.

For the final scam observed by these federal agencies, these actors contact individuals by phone or email to inform them that the government requires them to obtain a vaccine.

To avoid falling victim to these scams, entities should refer to the website of their state’s health department to find up-to-date information on authorized vaccine distribution channels and only receive vaccines through these official means.

The FDA and CDC websites are also valuable resources to find trusted information about the virus and vaccines, as well as emergency use authorizations.

As always, employees should be reminded to never give out their personal information or health data to anyone other than a trusted medical professional. Further, individuals should only seek vaccines from a trusted primary care physician.

Administrators should ensure operating systems and antivirus software is updated, while conducting routine network scans. Macros on documents downloaded via email should never be enabled, unless necessary and only after ensuring the file is not malicious.

Employees should be trained to never communicate with or open emails, attachments, or links from unknown sources, nor should they provide personal information of any sort through email. Many emails requesting personal information may appear to be legitimate.

Lastly, two-factor authentication should be implemented whenever possible, including the use of hardware tokens, authentication apps, or biometrics. All unneeded software applications should be disabled or removed.

The vaccine fraud schemes are just the latest attempts by cybercriminals to take advantage of pandemic fears, human nature, and an expanded remote workforce. Throughout each stage of the national crisis, hackers have preyed on fears surrounding COVID-19 information, the use of videoconferencing platforms, the need for personal protective equipment, and a host of other themes directly tied to the national response.

As the year progressed, hackers pivoted to further spear-phishing and ransomware attempts directly targeted the healthcare sector. Fortunately, a host of free resources have been released for each of these scams, in order to harden the increasingly sophisticated threat landscape in the US.