Illustration of fraudsters using social engineering to push vaccine fraud

Fraudsters notoriously use global events for their own ends. COVID-19 vaccine fraud is no different. It’s the latest angle that fraudsters are using to steal unsuspecting victims’ money and sensitive personal information via social engineering attacks.

With COVID-19 vaccinations underway in many U.S. communities, fraudsters are tapping into peoples’ anxieties and fears by impersonating healthcare officials and other authorities to steal money with promises of helping people get vaccinated. Here’s how they do it:

Exploit Strong Vaccine Demand 

At the end of the day, vaccines are products that face strong market demand, similar to the rush on Playstation or Xbox consoles witnessed during last year’s holiday shopping season. But the vaccine has a more serious purpose than a video game console (sorry, gamers!). It’s something that many people have been waiting anxiously to get their hands on, seeing vaccines as the way to “get back to normal” after a year of pandemic fatigue. Case in point, border officials report a rise in passengers traveling to the U.K. with forged doctor’s notes.

COVID-19 vaccines – whether they’re made by Moderna, Pfizer, or another major manufacturer – are one of the most sought-after products in the world right now. Many people wonder if they need the vaccine to do their jobs, visit a loved one, travel via airplane, eat at a restaurant, attend a concert, and more. These anxieties and fears over vaccinations are ripe for fraudsters to exploit.

Prey on Victims’ Unfamiliarity

“We’re in this together” has been a recurring mantra since the COVID-19 pandemic began last year and we all went into lockdown and started wearing masks everywhere. Perhaps a more accurate mantra would sound something like this: “We’re all learning as we go.”

The truth is very few people have ever been through what the world is going through right now. This means there’s no universal playbook for governments to distribute vaccines to large populations, which leaves many people vulnerable to misinformation campaigns. Fraudsters are counting on this confusion and chaos to rope victims into their schemes. 

Social Engineering Scams

This confusion over how to get the vaccine mixed with everyday peoples’ concerns over what types of functions and activities they can do without one – raising questions like, “can I travel for my job?,” “can I visit my parents?,” or “can I attend that concert?” – create a potent combination for fraudsters to push social engineering fraud. Fraudsters also add to peoples’ anxieties by spreading misinformation via social media channels.

Fraudsters launch social engineering attacks by impersonating people in authority or influence who the victim is likely to trust such as bank employees, law enforcement agents, co-workers, or a boss. 

Healthcare workers and medical professionals are favorites for impersonation during the pandemic. Fraudsters will claim to be a public health official with the CDC or the Department of Health and Human Services. Then they will contact victims claiming vaccine supplies are low or that new COVID cases are rising in their local area. Next, they’ll offer to help them “jump the queue” by providing the victim early access. But first, the victim must provide personal data such as their bank account, social security number, credit card details, or date of birth. Victims – overcome by their vaccine-related anxieties – don’t realize they just divulged highly sensitive information to scammers.

How Does Vaccine Fraud Work?

As with many other types of fraudulent activity – like romance scams or unemployment fraud – scammers exploit peoples’ desperation and fears to commit vaccine fraud. What’s most alarming is fraudsters can use data to focus their attention on the highest-value targets. 

Fraud is a high-volume, low-return business and fraudsters are frustratingly patient in this sense. Fraudsters will push vaccine scams using tried and true tactics like phishing emails, text messages, or fake vaccine surveys. They can also tailor their messaging to the victims’ location, citing local coronavirus cases and hospitals to bolster their credibility.

At this point, the fraud scheme starts to resemble a marketing or sales funnel. Recipients ignore the vast majority of outreach efforts, but the fraction of people who open unsolicited emails, respond to a voicemail, or click on a link in a text message can give fraudsters a return on their investment. After casting a wide net with their initial messaging effort, fraudsters narrow their focus by following up with targets who engaged with the scam. This includes targets who answered a phone call or clicked on a link in a text message. 

Fraudsters can also assess important demographic information about respondents, helping them further focus their targeting efforts for maximum payoff. If only a handful of victims share their bank information or pay the fraudsters for vaccines they will never deliver, their efforts will be rewarded.

5 Tips for Banks

Banks have an obligation to protect their customers from this type of deception. Especially when fraudsters eagerly exploit and spread vaccine-related misinformation. Here’s how banks can protect both their customers and their own reputations. 

1. Track Device Hygiene and Behavior

Individuals are limited by a narrow view of the information available to them. Banks, on the other hand, can take a bird’s eye view of users’ activities including how mobile devices are used. A single mobile device that engages with multiple bank customers and multiple banks in a short window of time can be flagged as suspicious. 

At the same time, watch the customers’ online patterns. Today’s digitally connected bank customers are used to multi-tasking. A customer who uses a bank’s website or mobile app in a way that doesn’t fit their normal online patterns (such as navigating through tabs they normally don’t use) could be under the influence of a fraudster. Monitoring how customers’ online or mobile app patterns differ from their normal habits can help banks determine if a fraudster is guiding a victim on how to initiate a transfer in real-time. 

2. Deny Fraudsters a Safe Haven

Fraudsters also need bank accounts where they can receive their ill-gotten funds. Banks can monitor the acquiring side of their operations to make sure individual and merchant accounts behave as expected. A small business or merchant account for a bakery that receives an unusual number of payments at the exact same amount in a short timeframe should raise a red flag. This “merchant” is most likely a scammer receiving fraudulent payments to move elsewhere.

3. Follow the Money

There’s a strong likelihood that your FI isn’t the only one involved in a vaccine scam. Fraudsters will transfer money into an account and then transfer it to another. When dealing with fraudsters, remember, there’s strength in numbers. Banks can share intelligence and enhance industry knowledge to make it easier to detect and stop threats when they emerge. These steps can help not just your FI, but other FIs as well.

4. Think Outside the Bank

Vaccine fraud involves more industries than financial services. That’s why it pays to work with partners that can provide new insights into how fraud works. In the U.S., the FBI and Virginia’s Department of Health recently partnered to raise awareness of vaccine fraud schemes. Develop a more thorough understanding of the issue by consulting with a variety of institutions. This can include healthcare providers, physicians’ groups, nurses, law enforcement, and more. Collecting insights from these parties can help you build a fuller profile of how fraudsters behave. This makes it easier to spot their activities hidden among financial data. 

5. Communicate with Customers

There’s already too much misinformation about the vaccine rollout available. Banks should remind their customers that they will not have to share their bank account information to get a vaccine. Encourage customers not to reveal any information to anyone claiming to be their bank or a healthcare provider. Remind customers if they’re not sure to stop interacting with whoever is asking for information. Step back and validate it with their bank or other organizations.

If there’s a silver lining in the latest vaccine fraud trends, it’s this: vaccine fraud is a bubble that won’t last forever. Once a sizable share of the population receives the vaccine, this type of fraud will eventually fade away. The downside is that fraudsters will push this type of fraud more aggressively before its shelf life runs out. Banks need to inoculate their customers and protect their reputations from these scams.

An exclusive look at data from over 11 billion transactions on Feedzai’s financial crime platform outlines why fraudsters and criminals were thrilled at the world’s rapid move to digital banking and eCommerce. Watch the Q1 2021 Financial Crime Report webinar to learn the top 5 fraud schemes that increased during the pandemic and what banks can do about them.