Experts warn against posting COVID-19 vaccination card online

Read time 3min 30sec
Duane Nicol, team lead for emerging products at Mimecast.
Duane Nicol, team lead for emerging products at Mimecast.

Posting a photo of a vaccination record card on social media could expose the user to a broad range of cyber risks such as social engineering attacks, warn security experts.

As the COVID-19 vaccine programme accelerates across the country, many South Africans have been seen sharing their vaccine cards across social media platforms as a way to show that they are doing their part to help reach herd immunity.

However, security experts are warning this could create a haven for scammers and identity thieves who will stop at nothing to take advantage of unsuspecting social media users.

By posting images of this document on social media, people are sharing sensitive data that may fall into the wrong hands, as the vaccination card not only contains a name and date of birth, but also shows when and where a person was vaccinated, a return date and, in some instances, an ID number, warn experts.

Cyber security expert Duane Nicol, team lead for emerging products at Mimecast, explains that while social engineering attacks can take several weeks or even months to carry out – as criminals need time to get to know their victims – the more information shared online, the easier it becomes for the criminal.

"People are rightly excited about getting their COVID-19 vaccinations, and many happily post their vaccine record cards to their social media profiles to share the good news with friends and family. However, friends and family may not be the only ones watching. Cyber criminals could use the information – such as names and ID numbers – to develop believable social engineering attacks," he explains.

Detailing the criminals’ modus operandi,Nicol points out that once cyber criminals have the details they need, they can get a victim’s work e-mail address and ask them to confirm their second vaccination date.

The e-mail appears to be coming from a trusted source, such as a medical aid company or the National Department of Health.

“The link in the e-mail seems legitimate, the branding is on point and the information about the vaccination record is all accurate, so the victim goes through the steps to set up an account and may use the same password used to log into their company network,” explains Nicol.

While most organisations will have layers of protection, such as security questions, criminals are always one step ahead, he warns.

“Once they gain access, cyber criminals can do untold damage to the company’s network, access confidential files, impersonate key stakeholders within the organisation, commit fraud on a massive scale and even infect the network with malware that could take services offline and lead to catastrophic financial losses and severe damage to the bank's reputation," he continues.

Security firm Kaspersky warns users about the same trend on its Twitter page: ”Please don't share your vaccine card on social media – it has plenty of personal information on it that can be used by attackers,” says the status update.

According to the US Federal Trade Commission, consumers have reported losing more than $500 million to COVID-19 related fraud since the beginning of 2020.

According to Kaspersky, since the onset of COVID-19, there have been countless fake and highly targeted coronavirus-related phishing e-mails, where the attackers disguise themselves as official organisations, including the Centres for Disease Control and Prevention and the World Health Organisation.

“The UK’s National Cyber Security Centre, for instance, has highlighted a spate of phishing attacks coming from scammers attempting to disguise themselves as legitimate organisations. They claim that bogus e-mails may contain links claiming to have important updates which, once clicked, direct users to websites which can attempt to infect devices with viruses, malware and spyware,” says Kaspersky.

See also