CISO Update #30
Fake Vax Cards and the Cybersecurity Ecosystem

This month we’re going to look at a growing phenomenon that pulls together a couple of themes that we’ve touched on in these updates and in other aspects of our Cybersafe campaigns: online misinformation, attackers taking advantage of crises in the news, and oversharing online.

Recently an industry has emerged of people selling fake vaccination cards online. It’s covered in this article on Threatpost. Before we even begin to discuss the cybersecurity aspects of this, we should emphasize that buying or selling these documents is a federal crime.

These fake cards bring together several aspects of the cybercrime universe.

  • Crises in the news: The pandemic is a crisis that has raised everyone’s emotions and perhaps influenced their judgment. Several times in this update series we have covered how cyber criminals take advantage of troubling events in the news such as natural disasters to motivate victims to do something they might not ordinarily do.  The recent regulations requiring proof of vaccine for restaurants, shows, and even continued employment put even more pressure on people to have proof, even if they are vaccine-hesitant. A number of scams have resulted from this: see this article in the Associated Press.

  • Oversharing online: We’ve all seen friends posting photos of their vaccine cards, including dates, places, and vaccine lot numbers. Those photos give forgers all the information they need to create fake cards. Some of the information also comes from phishing attacks, where victims have been persuaded to share their vaccine (and other) information through emails that claim to be from government agencies.  

  • Misinformation: Threatpost points out that it’s common for attackers to post fake information describing false side effects from vaccines, or even claiming they know someone who was harmed by a vaccine, just before they advertise their fake cards. These posts pave the way for the ads for illegal cards.

Soon enough people have been coaxed into buying these fake cards because they want to go to restaurants and concerts but don’t want to get vaccinated. And, of course, in the process of buying these cards, they’ve shared their payment information with people who are criminals by nature. NBC News has investigated this aspect of the scam, which includes more than 10,000 sellers on one digital platform alone. 

What can you do? 

  1. Be careful about what you share online. Default to the negative: Don’t ask yourself what harm could come from sharing, instead ask yourself what good could come from sharing. If you don’t have a clear answer, don’t share.

  2. Follow our 4 Don’ts of phishing awareness. Don’t reveal personal information in email unless you’re very sure about the sender.

  3. Don’t do business or share information online with people who are, by definition, criminals.

These updates highlight different aspects of protecting yourself online, and each is important individually. But, what this particular update is meant to underscore is that all these pieces fit together and that attackers will use many means to achieve their desired goal—stealing your money, your identity, and your information.

About Cybersafe
The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit and stay tuned for emails from for the latest from the Cybersafe campaign at FIT. Read past issues here.