The COVID-19 Vaccine: The Next Wave of Coronavirus Phishing Emails & What You Can Do About It

Eric Howes

With infection rates once again soaring in the United States and other countries around the world, the race to produce a COVID-19 vaccine has generated welcome news for a population overwhelmed with pandemic fatigue. In the past few weeks two vaccine manufacturers, Pfizer and Moderna, have published extremely encouraging results from late stage vaccine trials. Moreover, there are now indications that limited vaccinations in the United States could start as early as December.

Although this news is being widely greeted with relief as well as anticipation, we would do well to recognize that the emergence of effective COVID-19 vaccines will undoubtedly provide malicious actors even more opportunities to socially engineer employees and users desperate for an exit from pandemic existence and a return to normality.

KnowBe4 fully anticipates that bad actors will exploit news surrounding the development and distribution of COVID-19 vaccines in much the same way that they leveraged fear and anxiety surrounding the initial wave of COVID-19 infections back in March and April of this year. Indeed, we expect that organizations could very well start seeing a surge of vaccine-themed phishing emails in the next few weeks -- almost certainly before the year is out.

In the face of the coming wave of vaccine-themed phishing campaigns, KnowBe4 has developed eight new simulated phishing templates for customers using the KMSAT security awareness training platform. In what follows, we will introduce you to these new templates and explain why you need to "inoculate" your users and employees against the all-too-predictable surge of phishing emails.

Employees are Ripe for the Taking

Pandemic fatigue is now approaching outright exhaustion among large parts of the population. With hopeful reports surrounding COVID-19 vaccines getting lots of play in the mainstream media, your users and employees are undoubtedly paying attention. But they have questions and concerns -- large ones, in fact -- about what these vaccines will mean for themselves as well as their family, friends, and colleagues at work.

1. How soon will a vaccine be available?
2. Will it be safe?
3. How can I get it?
4. When can I get it?
5. How much will it cost?
6. Should I get it?

These also happen to be the exact concerns and questions that malicious actors will exploit in phishing emails that will almost surely be landing in your users' inboxes before the end of the year.

Drawing on KnowBe4's years of experience analyzing social engineering tactics typically used by bad actors in malicious emails, we have developed eight new simulated phishing templates that employers can use to educate and train their users so that they're not left flat-footed when the real things eventually arrive in their inboxes.

Let's take a took at these new templates.

The New COVID-19 Vaccine Templates

The eight new COVID-19 vaccine templates are currently live in the KMSAT console and available for use in simulated phishing campaigns. Five of these new templates sit in the COVID-19 template category. They are:

HR: COVID Vaccine Survey
(Link/Spoofs Domain)
Users are invited to take a survey from their employers about the vaccine to help the organization plan for the distribution of the vaccine to employees.

Check Your COVID-19 Vaccine Coverage
User are prompted to click a link to check whether the vaccine will be covered by their health insurance plans.

Find your nearest COVID-19 vaccine location!
Users are offered a link to find locations in their community where they can get vaccinated.

HR: COVID-19 Vaccine Study Enrollment
(Link/Spoofs Domain)
Users are invited to enroll in a COVID-19 vaccine study that offers participants an $1150 stipend.

Reserve Your Vaccine!
Users are invited to click a link in order to reserve in advance their very own vaccine dose.

template_ReserveYourVaccineThe remaining three templates have been added to the Controversial (NSFW) category. Note: we strongly urge customers to consider whether these particular templates are appropriate for their organizations and employees before electing to use them in simulated phishing campaigns.

HR: New Vaccination Requirement
(Link/Spoofs Domain)
A spoofed HR email announcing that all employees will be required to get vaccinated before returning to work in the office. Additional information about this requirement is offered.

The COVID-19 Vaccine: Q to Reveal All
A spoofed news article reporting that QAnon insiders are anticipating that Q, the mysterious "oracle" fueling the QAnon online community, will soon be posting on the hidden "truth about the vaccine."

COVID-19 Vaccines: What Big Pharma Doesn't Want You to Know
Another spoofed news article alleging a conspiracy among vaccine manufacturers to suppress critical details about COVID-19 vaccines.template_BigPharma


As we have stressed so many times since the initial surge of COVID-19 themed phishing emails back in March and April, the Coronavirus is the gift that keeps on giving for malicious actors. And now, heading into the holiday season, these bad actors are poised once again to convert news surrounding the development and distribution of COVID-19 vaccines into a powerful tool for social engineering your users and employees through phishing campaigns that exploit their very real questions and concerns about the vaccine.

Now is the time to get your users up to speed on the wave of phishing emails they can expect to see before the end of the year. Step your users through New-school Security Awareness Training and then test them regularly with the new vaccine-themed simulated phishing templates that are now available in the KMSAT console.

Topics: Phishing

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews