As vaccination campaigns worldwide hit speed bumps and diplomacy hurdles, cybercriminals are jumping on the chance to phish for personal data.

Scammers impersonating personnel from Singapore’s Ministry of Manpower have been targeting specific groups of people with phishing emails and calls promising enhanced eligibility for COVID-19 vaccinations.

In order to appear legitimate, the scammers use domains with names resembling that of the ministry, such as @ministryofmanpower. By tricking people who are anxious to receive the vaccination earlier, the phishing emails can convince them to input personal data into a fake e-form.

One email contained the following message: “As the vaccination exercise will be progressively rolled out for all working class over the next few weeks, we seek your assistance to take your time to fill your contact details in the attached contact form.”

Elsewhere, similar phishing emails and phone calls have already been in circulation, purporting to originate from employers, healthcare institutions and even government agencies.

Staying alert to vaccination scams

Regardless of the method of approach, the public should be wary of any kind of mechanism that requires them to visit any website to fill in personal data, One-Time Passwords, second-factor authorization codes or revelation/submission of sensitive data.

According to Ronald Lee, Managing Director, KnowBe4 Asia, newsworthy events are prime fodder for cybercriminals who are quick to hijack the incidents with phishing scams and attacks to try and obtain personal details or steal money.

“With the COVID-19 vaccine rollout underway and garnering much attention, it was only a matter of time until the bad guys tried to take advantage of this by crafting new attacks. (Everyone) should be particularly suspicious of any vaccine-themed emails or text messages, especially those containing attachments or instructing them to click on a link, as these messages could very well be part of a social engineering attack,” Lee said.

When in doubt, people should contact their doctor or healthcare provider through tried-and-trusted channels, instead of supplying sensitive information to unknown websites, text messages, or phone caller, said the cybersecurity expert.