Dark background with blue code overlay

NHS Vaccine Scams: Criminals Still Targeting COVID-19 Anxiety

Steve Ragan

Written by

Steve Ragan

February 11, 2021


It's 2021, but the anxiety, fear, uncertainty, and stress caused by the COVID-19 pandemic in 2020 is very much alive today. Criminals are targeting the most vulnerable among us, using the lure of COVID-19 vaccination in their most recent phishing campaigns. Today's post will examine some of the history related to COVID-19 scams, and the latest vaccination scam, which the National Health Service (NHS) in the UK is warning the public about.

Last February, as the world started to go into lockdown to help slow the spread of COVID-19, criminals were forced into lockdown too and wasted no time shifting their focus towards COVID-based scams and criminal activities.


At first, criminals started focusing on the web-based purchasing boom. Since most people couldn't obtain various goods from their local stores, either due to supply shortages or physical access restrictions, they turned to the internet to get their needs covered.

Criminals hopped on this trend and developed scam shops, such as the one offered for sale in Figure 1, that promised health supplies like masks and hand sanitizers, or other popular goods like toilet paper, household cleaners, etc. Because the scam shops were modular, criminals could switch product offerings on the fly, adapting to current trends.

Credential phishing

All throughout 2020, criminals leveraged COVID-19 in their phishing campaigns. The lures used were designed to target COVID-19 spread and safety information, vaccine development, vaccine testing, lockdown information, and more.

However, the majority of these phishing kits leveraged COVID-19 only as a stressor on the frontend - basically something to make the victim take action. The phishing kits themselves were just reskinned variants of existing backends targeting various usernames and passwords for multiple email services (Figure 2) such as Gmail, Office365, Yahoo, and corporate accounts.

Vaccine phishing

In Figure 3 below, we see the latest example of COVID-19 related phishing. Leveraging current events as the lure, the scam is delivered to victims via SMS in most cases, or in some cases email.

There are a few problems with this landing page, namely the grammatical mistakes, but if one were to read it quickly and without paying close attention -- say if the anxiety and stress caused by the current vaccine rollout and the looming spread of COVID-19 variants are dominating your thoughts -- then this page hits all the points needed to fool some people.

"The NHS is performing selections for coronavirus vaccination on the basis of family genetics and medical history. You have been selected to receive a coronavirus vaccination," the landing page explains.

It goes on to outline the vaccination process, including the wait periods that were discussed in the news earlier last month. While it states that rejection is a possible action, both acceptance and rejection lead the victim to the same page requesting additional information.

Unlike the others that have leveraged COVID-19, this particular phishing scam isn't looking for usernames and passwords. Instead it is looking for personal information and financial data.

It will require the victim's first and last name, date of birth, mother's maiden name, address (restricted to UK locations), mobile number, banking card number, expiration date, CVV2, issuing bank name, bank account number, and sort code. All of the information needed for a criminal to perform ID and banking fraud.

It isn't a flawless phishing kit, but it is pulling images and design elements directly from the official NHS website. In addition, the kit has several customization options.

The kit comes with an IP logger, which will prevent revisits from the same victim, and it has a basic security system that prevents some search engines and other crawlers from visiting the landing page. The exit domain, which loads as the attack concludes, is fully customizable and can be directed anywhere, but the kit's developer encourages criminals to direct it to the NHS website.

Furthermore, the kit can be geo-targeted, and restricted to visitors who reside in a given country. In Figure 3, the kit was only targeting UK and US visitors. Finally, the kit offers logging options, where the victim's details can be stored on the server, or emailed to the criminal directly.


Phishing is a constant problem on the internet, it's been that way for years, and it will remain a problem as long as the criminals have something to gain from leveraging it as an attack path. One of the key elements in phishing is the psychological use of fears and anxiety to trick a victim into taking action. In today's example, the action is the release of personal and financial information. Tomorrow, it could be something similar, or more sinister.

For those concerned about NHS vaccine scams such as this one, please visit the official NHS website on the topic.

The NHS has issued guidance about the process, as well as warnings about scams such as this. One of the key warnings is the requirement of payment and identification details. The COVID-19 vaccine is free of charge, and the NHS will never ask for bank account or card details, pin numbers or banking passwords, or copies of personal documents to prove identity. If you think you've been the victim of a scam related to NHS vaccines, the NHS advises you to contact Action Fraud at 0300 123 2040.

Steve Ragan

Written by

Steve Ragan

February 11, 2021