Phishing Alert: NHS Covid-19 vaccine invitation phishing scam

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

As highlighted in our last article, phishing scams exploiting the current Covid-19 vaccine situation have increased substantially. Today, we’re going to look at one of these scams that has already claimed many victims, despite being around for barely a week.

On the 25th  January, many Twitter users reported seeing a phishing email, claiming to be from the UK’s NHS, hitting their inbox. The suspicious email reads:

NHS COVID-19 vaccination phishing email 

Despite its poor grammar and seeming lack of authenticity, unfortunately many of the recipients of this phishing email were in the age category of those eligible to receive the vaccine. Therefore, readers automatically assumed that this email was genuine, despite both links going to the same fake NHS website.

Fake NHS landing page

The link in the email leads to a very convincing (but fake) NHS page, stating that the recipient of the email has been selected to receive the vaccine based on “family genetics and medical history”, and that only the person who has “received an email/SMS regarding this invitation” can use this service.

Whether the victim presses the accept or reject button,  they are taken to the same phishing page, in which they are asked to input sensitive information such as the person’s name, address, mobile number, mother’s maiden name, credit card information, and  banking information.

Fake NHS phishing page harvesting data from the victim

After this sensitive information is harvested from the victim, the phishing page states that “the application is confirmed and that the NHS will contact the person to schedule the appointment.” They are redirected shortly after to the real NHS website so as not to raise the victim’s suspicions.

In response to this scam circulating Twitter, the NHS tweeted:

Despite the primary UK government websites being in the format of www.gov.uk, it is crucial to remember that the NHS does NOT follow this pattern, the real NHS website will always be www.nhs.uk . Any other supposed NHS email address is fraudulent.

If you are unsure if an email you have received from the NHS regarding the Covid-19 vaccine is genuine, a new website has been created to tell people how they will be contacted regarding receiving the vaccine, and how to spot a scam.

Could everyone in your organisation spot the warning signs of a phishing email such as this? Find out in our Free Click-Prone® Test today.