They're Here! COVID-19 Vaccine Phishes Finally Arrive

theyre-hereAnticipating that media attention surrounding the development and distribution of COVID-19 vaccines would undoubtedly spur malicious actors to launch new vaccine-themed phishing campaigns, we recently announced the release of eight new simulated phishing templates for the KMSAT security awareness training platform. Now, just two weeks after that announcement (and on the very day that the UK launched its own mass vaccination program), the first real vaccine-themed phishing emails have arrived. Let's take a look.

The first one reported to us by customers using the Phish Alert Button (PAB) uses the very kind of social engineering scheme that we anticipated:


This email appears to be trying to exploit a very recent report in The Washington Post that Pfizer may not be able to supply additional doses of its vaccine to the United States in large volumes until sometime in Q2. Predictably enough, the link in the email body takes unwitting clickers to a credentials phish:


To be sure, the language used in the body of that malicious email is a bit stilted -- definitely not the effortlessly clear prose one would expect in a professionally written email of this type. But it will do.

As it turns out, this particular phish compares quite well with one of the eight simulated phishing templates we introduced two weeks ago:


The social engineering scheme in both emails exploits some of the basic questions and concerns that users and employees will have about the several vaccines currently on the cusp of widespread distribution:

1. How soon will a vaccine be available?
2. Will it be safe?
3. How can I get it?
4. When can I get it?
5. How much will it cost?
6. Should I get it?

Put very simply, this is pretty much what we expected.


Malicious actors had a field day back in March in April as the Coronavirus washed over countries around the world. It was and still is the perfect tool for social engineering scared, confused, and even downright paranoid end users into opening the door to your organization's network.

Nine months later, as an entirely predictable round of vaccine-themed phishing emails begins to land in your employees' inboxes, it is high time to get your users up to speed by stepping them through New-school Security Awareness Training and testing them with the vaccine-themed simulated phishing templates already available in KMSAT.


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews