With the initial administration of Pfizer’s COVID-19 vaccine earlier this week in the U.S., and the prospect of Moderna’s vaccine receiving an FDA Emergency Use Authorization at any moment, scammers are concocting fresh schemes to exploit the public’s understandable eagerness to end the pandemic. Having already hawked various nostrums, including fake preventatives and impotent therapeutics, vultures are circling the internet, knocking on doors, and dialing for dollars, ready to pluck the bones of financially and emotionally distressed consumers.
In my view, the U.S.’s patchwork, inadequate coronavirus response, combined with our disjointed healthcare system and dauntingly complex health insurance plans (when available at all), practically invite fraudsters to participate. Add, on top of this, a vaccine distribution system that is still in the making and the lack of public information on how it will work, one would be surprised if scammers passed on the opportunity.
FDA authorization of the vaccines themselves is only the beginning in a complex distribution system that ends with a jab in the arm. As a Kaiser Family Foundation issue brief on vaccine distribution points out:
While initial planning documents have been released, numerous outstanding questions and challenges remain. These range from questions regarding the respective roles of the federal, state, and local governments, to financing and coverage of a vaccine, addressing racial and ethnic disparities and communication and public trust.
For example, once cleared by the FDA, the federal government and 64 different state, local, and territorial jurisdictional immunization programs will manage delivery of several hundred million vaccine doses, most of which have yet to be manufactured, to administration sites across the country. These jurisdictions, many of which are already financially strained, will implement various prioritization schedules, some still in development, to allocate the initially limited vaccine doses to specific population groups. Health care workers, those with certain underlying health conditions, and people over age 65, are expected to take precedence. Other groups, like healthy adults and children, may have to wait until spring or summer of next year to be vaccinated.
Administration of the vaccine will likely take place in a wide variety of locations, including public and private hospitals and clinics, medical practices, pharmacies, and potentially government-run mass vaccination locations. And, while the intent is that no American will have to pay for the vaccine or its administration, “despite these measures, limitations and gaps related to a COVID-19 vaccine remain, and some individuals, particularly adults, may still face cost and access barriers”.
Thus, as the Kaiser brief points out:
Given that demand will be high and supply low during the initial phase of distribution, vaccine doses will be seen as highly valuable and therefore vulnerable to theft, fraud or corruption.
As with the rest of the pandemic, swindlers have risen to the challenge.
One media outlet in New York has already reported on recorded calls offering people a chance to avoid long lines and receive an early dose of the Pfizer vaccine for $79.99. The Better Business Bureau announced it is investigating vaccine distribution swindles offering consumers an earlier dose of the vaccine as well. Sometimes these calls come from a familiar caller ID name because “most consumers don’t realize that caller ID can be changed by a simple computer program”. (I added that last bit because, until I read it, I was one of those consumers.)
Check Point, a cybersecurity firm, found a number of vaccine “vendors” on dark web marketplaces exploiting the news of vaccine approval. For example, one vendor advertised the authorized Pfizer vaccine for $250 in Bitcoin, shipping from the U.S., the U.K., or Spain. Engaging in a dialogue with some vendors, researchers found another offering an unbranded COVID-19 vaccine for 0.01 Bitcoin (about $300), claiming that 14 doses were required.
This jibes with a recently issued Interpol global alert to law enforcement across its 194 member countries “warning them to prepare for organized crime networks targeting COVID-19 vaccines, both physically and online”. Interpol anticipates both the sale of fake vaccines and theft of the real thing, “with the pandemic having already triggered unprecedented opportunistic and predatory criminal behaviour”.
Check Point also found, as reported by ComputerWeekly.com,
multiple examples of emails incorporating vaccine lures into their subject lines spreading malicious .exe files that installed malware, and others spreading the Agent Tesla keylogger remote access trojan (Rat), in both instances seeking to exfiltrate their victim’s data and credentials, and take over accounts.
In addition, Check Point researchers reported a “sharp rise” in potentially malicious domains related to vaccines in November, with over 1,000 registered last month, “exceeding the number of vaccine-related domain name registrations in the previous three months put together”.
Another cyber security firm, KnowBe4, found phishing examples exploiting recent media reports that the Pfizer vaccine may not be available in the U.S. in large volumes until the spring of next year. Links in emails directed users not to media reports but instead to a credential phishing website.
A KnowBe4 researcher quoted in ComputerWeekly.com explains that such schemes exploit some of the basic questions and concerns we all have about the new vaccines: how soon they will be available, safety issues, how and when can one get vaccinated, and how much it will cost. “Put very simply”, he said, “this is pretty much what we expected”.
According to a report in the Detroit Free Press, consumer watchdogs are reporting that imposters are claiming to be with the Social Security Administration in order to get sensitive information. For example, the scammer will say he is calling to sign the person up to receive their vaccine, requesting Medicare number, address, and financial information.
The Federal Trade Commission, working with the National Association of Attorneys General, put out consumer education tips last week on avoiding vaccine scams:
- You likely will not need to pay anything out of pocket to get the vaccine during this public health emergency.
- You can’t pay to put your name on a list to get the vaccine.
- You can’t pay to get early access to the vaccine.
- No one from a vaccine distribution site or health care payer, like a private insurance company, will call you asking for your Social Security number or your credit card or bank account information to sign you up to get the vaccine.
- Beware of providers offering other products, treatments, or medicines to prevent the virus. Check with your health care provider before paying for or receiving any COVID-19-related treatment.
On that last one, I feel compelled to note that taking advice from a licensed health care provider doesn’t guarantee that it will be science-based, thanks to our state legislatures. Choose your provider wisely.
In addition to using texts, emails, social media platforms, and calls, according to the FTC, some fraudsters are employing an old-fashioned touch and actually going door to door with their pitch. The agency advises anyone contacted by someone making suspicious offers to avoid giving them money or personal information and instead report them to the FTC at ReportFraud.ftc.gov or file a complaint with your state or territory attorney general through consumerresources.org.
The Department of Health and Human Services Office of Inspector General (OIG) put out its own alert recently, reiterating these warnings and adding that the public should be wary of anyone claiming to be a contact tracer who asks for personal or financial information or offering HHS grants related to the COVID-19 pandemic. As well, do not respond to, or open hyperlinks in, messages about COVID-19 from people and companies you don’t know. You can submit complaints of suspected fraud to the OIG here.
While the average SBM reader is likely savvier than most about COVID-19 fraud, it wouldn’t hurt to share these resources with others who might not be as sophisticated about the wiles of scammers. Given the unknowns about the availability, timing, and logistics of getting a vaccine, I am especially worried about swindlers who claim they are scheduling “vaccination appointments”, gaining personal information and possibly pre-payment in the process. And I’m not too confident about the ability of some Americans to separate fact from fiction right now, or to recognize a con when they see one.
