UK residents are being warned about a new phishing campaign that spoofs the National Health Service (NHS) and asks recipients to confirm that they want to receive the COVID-19 vaccine.
The UK’s vaccination program is now well underway, with more than 6.5 million people already given the first dose of one of the approved COVID-19 vaccines, with the most vulnerable groups and NHS workers being prioritized. However, it is likely to take until the summer or even the autumn for all adults to receive their dose of the vaccine, which means many people still have a long wait ahead. It is therefore unsurprising that cybercriminals have seized the opportunity to conduct phishing scams related to the COVID-19 vaccine rollout.
The NHS COVID-19 vaccine scam is plausible and well written and is devoid of the spelling mistakes and grammatical errors that are often found in phishing emails. The ploy is simple. The emails appear to have been sent by NHS Test and Trace and asks UK residents to accept or decline an invitation to have the vaccine.
This is a public health message from NHS
As part of the government’s coordinated response to Coronavirus, NHS is performing selections for coronavirus vaccination on the basis of family genetics and medical history.
You have been selected to receive a coronavirus vaccination.
Use this service to confirm/reject your coronavirus (COVID-19) vaccination.
Two links are supplied in the email for recipients to confirm. One with the text NHS – “Accept invitation” and the other “NHS – Decline invitation”.
The phishing emails appear to have been sent from the domain noreply[@]nhs.gov.uk, which is not the official domain used by the NHS. Scam emails have also been sent that appear to be from official looking domains but have actually been sent from Hotmail addresses. The NHS does not send emails from any free email service.
Both links in the email direct the user to a webpage that spoofs the NHS, complete with the correct logo, color scheme, and layout. Further information is provided on the landing page about the vaccine program, what individuals can expect, and who can use the service.
Users are again asked to make their choice and will then be directed to a form where they need to provide personal information to confirm their identity. The first page includes reasonable information: name, date of birth, mother’s maiden name, address, and mobile number. Then, another form asks for their credit card number and banking information. Once the information is entered the user is directed to the genuine NHS webpage.
The NHS is making contact with individuals about booking an appointment for vaccination either by letter, text message, or email. If contacted by email, the domain used will be nhs.uk. The NHS has confirmed it will never request passwords, banking information, credit card information, or copies of personal documentation to be provided via email or online and that the vaccine is provided free of charge.
Further COVID-19-related vaccines scams can be expected over the coming days, weeks, and months. UK residents should exercise caution with any text message or email received in relation to the vaccine and should never supply financial information or provide copies of documentation via email, websites, or over the phone.