The fake vaccine scam and how to spot it

Sarah Reynolds 22 Jan 2021

A major crisis often brings out the best in people – but it can also bring out the worst. We all know the stories of extraordinary kindness the COVID-19 pandemic has inspired; from Captain Sir Tom Moore and the bravery shown by the NHS, to neighbours shopping for the vulnerable and people volunteering in food banks. The sad truth is criminals often use crisis to their own advantage – as we’re seeing with online fraud levels soaring since the start of the pandemic.

A particularly unpleasant scam that’s unfolded this month, is that of fake NHS SMS messages regarding the COVID-19 vaccine. The scam texts claim the recipient is eligible to apply for the vaccine and directs them to a website to do so. The site then requests sensitive personal and financial information – including bank details – that the NHS would never require.

This crime prays on the most vulnerable – those desperate to gain immunity – and exploits a climate of fear and anxiety. Given it is not unusual for GPs to contact patience via SMS, it can be difficult to know what’s real and what’s not. The National Police Chiefs’ Council has issued a warning to remind individuals that the NHS will never ask for bank or credit card details and that the COVID-19 vaccines are free of charge under the NHS.

In our experience, scams can usually be spotted if you know what to look for. As with any kind of online phishing scheme, there are a number of red flags we always advise people to look for before responding to any request for personal details.

  1. Read carefully. Read the message as if you are a proof-reader. Any spelling or grammatical errors, however minor, may indicate that the message is not authentic. In the scam vaccine texts that we have seen, the message erroneously states that “your are eligible…” as opposed to “you”. While this may seem glaringly obvious, it may not be picked up on a quick skim-read of a message, especially when it is read by those expecting to receive legitimate information about their vaccine.
  2. Scrutinise the URL. The SMS message purportedly from the NHS directed individuals to a fake NHS website which replicates the genuine site. Always look for the padlock next to the URL to confirm that the website has a security certificate, and carefully check every letter in the URL itself. A lower-case “L/l” in a link looks the same as an upper-case “I/i”, so fraudsters can use these interchangeably to deceive people. Again, any spelling or grammatical errors, or erroneous formatting or irrelevant ads may also suggest that something is not quite right.
  3. Exercise caution if asked for financial information and/or payments. Always be wary of requests for financial information or payment, whether in the context of the pandemic or otherwise. Ask yourself if it is normal to be paying for the goods or services – if you aren’t expecting to pay for something then don’t.
  4. If in doubt, ask. If you are in any doubt as to the legitimacy of an SMS message or a website, ask others for their views or, in the case of the NHS vaccine texts, telephone your GP surgery to confirm that it is genuine. You may also wish to check online to see if there has been any media reporting or warnings about sophisticated scams.

Specifically, in relation to the vaccine, this is only available via the NHS free of charge and they would never ask you for details about your bank account or to pay for the vaccine. If you receive such request, ignore it. The NHS would also never turn up to your place of residence unannounced to administer a vaccine and/or request payment. Again, if this happens, report it immediately to the authorities.

Authored by Sarah Reynolds and Gurpeet Thathy.