A Deep Dive into COVID Passport Fraud

Throughout the pandemic, fraudsters have exploited every shift in consumer spending, oftentimes capitalizing on misinformation and consumer fear. More recently, fraudsters are increasingly targeting vulnerabilities in COVID passports, tapping into the market of vaccine-hesitant consumers looking to purchase fraudulent vaccine credentials online to bypass vaccine mandates many businesses have implemented. 

During a recent webinar with the Loyalty Security Association (LSA), Brittany Allen, Trust and Safety Architect at Sift, discussed the rise of fake and forged COVID vaccine passports, how it impacts merchants, and ways consumers, businesses, and governments can prepare for possible breaches of COVID passports and their data.

Understanding the deep web

Fraudsters harness the internet in a multitude of ways to commit fraud through the surface web, deep web, and dark web—each offering varying levels of security and anonymity. The surface web comprises any website indexed by traditional search engines, such as Google or Bing. Some basic types of fraud occur on the surface web, such as through Reddit and Facebook, but fraudsters typically turn to the deep or dark web to execute more complex forms of fraud. 

The deep web is a term that was coined in 2001 and includes sites that are not indexed by traditional search engines. These deep web platforms offer fraudsters a means to communicate and carry out fraud with more privacy and anonymity through gated sites. Taking privacy a step further, the dark web offers the highest level of anonymity, accessible only through specific software, such as a Tor browser or specific VPN configuration. 

“The deep web…is a place for fraudsters who aren’t yet sophisticated enough to make it to the dark web and are still able to communicate with a bit more privacy, a bit more anonymity, but they are also able then to sell to a much wider audience of buyers, who also aren’t as comfortable or able to get onto the dark web. And that’s where we’re seeing a real proliferation of fraudulent activity and chatter,” said Allen.

One such deep web platform is the cloud-based private encrypted messaging app Telegram, which has quickly become one of the most downloaded apps (non-game) worldwide. The app has become attractive to fraudsters because of its hands-off approach to moderation and the ability to set up an account with only a phone number, as well as its private channels and disappearing messages. Fraudsters on Telegram have harnessed and capitalized on the pandemic market, launching COVID vaccine scams and selling fake vaccination certificates, among many other schemes.

COVID passport fraud

During the past few months of COVID vaccine acceleration, the market for forged vaccine passports and credentials has been on the rise—giving the vaccine-hesitant a way to bypass growing vaccine mandates and proof of vaccination implemented by businesses and governments. 

The proliferation of misinformation around the safety of vaccines also benefits fraudsters, creating fear, urgency, and doubt (FUD) that can increase their sales. And because vaccine cards are a simple piece of paper with handwriting, the barrier to entry is low, especially for fraudsters experienced at creating fake documents. Thanks to the trend of posting selfies with vaccine cards, cybercriminals can easily pull personal information from them to commit identity theft.

Groups on Telegram dedicated to selling COVID vaccine cards have quickly grown and created fierce competition—some with over 150,000 members selling selfies with COVID vaccination information for as much as $900. Allen has even discovered groups within the messaging app that utilize automation through a bot to provide an added layer of anonymity—users can follow the prompts to purchase COVID vaccination cards in exchange for cryptocurrency payments (universally preferred by fraudsters due to their irreversible nature).

Mitigating exposure

Although the landscape of COVID passport fraud is still developing, there are a few ways merchants can stay informed and prepared. Most importantly, businesses need to be transparent about potential risks with customers. Because requirements will likely continue to evolve, merchants should plan for various scenarios and keep a close eye on changing government recommendations and how other businesses are handling the situation. And to stay proactive, it’s wise to be strategic about verifying risky logins and activity by adding dynamic friction—enabling legitimate COVID passports with a seamless user experience while implementing necessary barriers for suspicious credentials.

“When you make these plans, have some generalized assumptions. It’s like when you’re doing a security vulnerability test—knowing what your vulnerabilities are or what your riskiest points are within that user experience or on your site, and planning for them in general. That could be planning for vaccine passports being mandatory for a certain app, and then rolling back any kind of requirements. Taking those high-level parts of the response like customer service, trust and safety, product, and engineering, and seeing what they might need to do, could help you formulate a plan that doesn’t have the very narrow specifics of the day to day changes we see, but still give you an idea of how quickly could you adapt. Should you need to, you pull one of those levers,” advised Allen.

To learn more about COVID passport fraud and how it could impact your business, watch the full webinar.

WATCH THE WEBINAR