Twitter Users Targeted with COVID-19 Phishing Scam

Recent reports have indicated that there is an active phishing campaign faking a message from the U.K.'s National Health Service (NHS) telling people they are eligible to receive the COVID-19 vaccine.

Many Twitter users have reported they received the phishing email, and most of those users fall into the age group that is eligible for the vaccine. This has resulted in many of those targeted falling for the scam.

COVID-19 related phishing emails

There appears to be several different versions of the phishing email, but they all originate from the same address, @nhs.gov.uk. The real U.K. NHS address is @nhs.uk. 

They all use similar wording in their titles, such as "IMPORTANT - Public Health Message | Decide whether you want to be vaccinated."

Here is one example: 

If the recipient opens this message, it doesn't matter where they click on the message as they will be redirected to the fake NHS website.

The website will then ask questions to collect personal information, like name, mother's maiden name, address, mobile number, credit card information, and banking information.

If you complete all of these questions, the site will capture your data and then redirect you to the real NHS site at https://www.nhs.uk. This is a common attacker technique after taking you to a spoofed site.

Reaction to phishing scams

This recent phishing scam has caused some concern within the cybersecurity community.

Not only is it a clear breach of ethics to use the coronavirus pandemic as a way of targeting people, it has also increased safety concerns about cybersecurity in government and healthcare organizations.

Casey Ellis, CTO and Founder of Bugcrowd, offered his viewpoint on the Twitter phishing scam:

"The critical importance and widespread uncertainty around the COVID-19 vaccine put the global spotlight on government and healthcare organizations involved in distribution efforts. As the world waits with bated breath, the anticipation and anxiety around the subject of vaccination make it especially useful as a phishing lure for attackers who target unsuspecting citizens.

The NHS phish was a serious attempt. It used the pretext of existing NHS vaccinations campaigns, included 'credible jargon' and NHS design mimicry to appear as legitimate as possible, and exploited loss-aversion through a fake 'use it or lose it' message."

The U.K. Information Commissioner's Office has also provided some steps for people to follow to avoid getting caught up in a phishing scam like the one we have seen play out on Twitter.

They recommend the following:

• "Report all lost or stolen documents, such as passports, driving licences, credit cards and cheque books to the organisation that issued them.
• Inform your bank, building society and credit card company of any unusual transactions on your statement.
• Request a copy of your credit file to check for any suspicious credit applications.
• Report the theft of personal documents and suspicious credit applications to the police and ask for a crime reference number.
• Contact CIFAS (the UK's Fraud Prevention Service) to apply for protective registration. Once you have registered you should be aware that CIFAS members will carry out extra checks to see when anyone, including you, applies for a financial service, such as a loan, using your address."

Related podcast: Tracking COVID-19 cyber threats