Scammers use data COVID-19 vaccine cards posted online to mine sensitive information
As the number of Americans receiving COVID-19 vaccinations continues to climb, so is the number of people posting “vaccine selfies” on social media. However, by displaying their vaccination cards online, vaccine recipients are opening themselves up to a different kind of threat: identity theft.
The Federal Trade Commission and FBI released statements advising people to keep vaccine cards – which contain names, birthdays and vaccine providers – off the internet because of the increasing threat of vaccine scams. Executive Director of The Cyber Security Research and Education Institute Bhavani Thuraisingham said that though this information seems simple, it is enough for hackers to access a vaccine recipient’s address, credit card number and social security number and scammers to retail fake vaccine cards made from real information.
Thuraisingham said that a hacker knows which database they need to hack into to obtain a person’s sensitive information by knowing where a person got vaccinated. A hacker may only need to input a vaccine recipient’s name and birthday into their vaccine provider’s database to complete the “identity puzzle.” Even if a hacker can’t obtain a social security number, Thuraisingham said they would still have enough sensitive information by that point to find a social security number through other means.
“These aren’t typical people trying to scam you,” Thuraisingham said. “These are smart, cunning individuals. All they need is a couple of stepping stones to go into the web and get a complete profile of you.”
Scammers can also use people’s vaccine cards to profit off their vaccination status. Thuraisingham said that scammers can create fake vaccination cards from information posted online to sell to third-party individuals or other scammers without needing to hack into any databases. Scammers may also choose to sell personal information they discover on vaccine recipients online.
“The thing is, [scammers] likely wouldn’t have even been able to do that if you hadn’t posted your card online,” Thuraisingham said. “They could do a random Google search and find information to use that way, but this is something like gold that you’re just handing to them, making yourself the target.”
Thuraisingham said a more unsuspecting scam that doesn’t require people to post their cards is scammers offering fake or blank vaccine cards. These offers can come in the form of advertisements, social media posts or phone calls and can target anyone. Thuraisingham said the danger in purchasing these fake or blank cards is that scammers will have direct access to the purchaser’s credit card information, from where the scammer can steal money and make expensive purchases.
Of the UTD population, Thuraisingham said younger people – especially students – excited about vaccination and unvaccinated international students worried that they need vaccine passports to attend UTD in person are most susceptible to vaccine scams.
“I know we’ve been in this pandemic for a long time, but that excitement for doing your part and getting vaccinated doesn’t need to translate into showing the world your vaccine card,” Thuraisingham said. “Everyone, especially [these] groups, should be taking preventative measures to protect their information.”
Thuraisingham said the best – and most simple – way the UTD community can protect itself is to avoid posting “vaccine selfies.” If a student has already posted their vaccine card online, Thuraisingham said, immediately taking down the post can minimize exposure to scammers. Additionally, Thuraisingham said avoiding purchase or response to inquiries from vaccine-card-selling entities is essential. If a student loses their vaccine card, there’s no need to buy a blank one to fill out; instead, the Washington Post says that vaccine recipients can contact their vaccine provider to coordinate a new card. There’s also no need for international students to purchase vaccine cards; regardless of vaccination status, they can still attend UTD in person because of Executive Order GA-35, which prohibits publicly funded institutions from requiring vaccine passports.
“Practice cyber hygiene,” Thuraisingham said. “Don’t give out information to strangers about your COVID-19 vaccine or vaccine history. You wouldn’t post your driver’s license online, so don’t post your vaccine passport.”
For those who are already experiencing identity fraud, Thuraisingham said to get professional help and avoid trying to handle the situation yourself to avoid further damage. Companies that specialize in identity protection, such as LifeLock, charge a fee but are most equipped to assist.
“COVID-19 vaccines have become such a hot topic,” Thuraisingham said. “It’s something you absolutely need. These scammers know that and are on edge for that golden opportunity. They are going to be on the lookout for what we are posting. We are going to see more and more fake vaccine cards being sold, and more and more real cards being stolen and identities being stolen as well. Keep yourself safe, and don’t post what you don’t need to.”