Anticipating that media attention surrounding the development and distribution of COVID-19 vaccines would undoubtedly spur malicious actors to launch new vaccine-themed phishing campaigns, we recently announced the release of eight new simulated phishing templates for the KMSAT security awareness training platform. Now, just two weeks after that announcement (and on the very day that the UK launched its own mass vaccination program), the first real vaccine-themed phishing emails have arrived. Let’s take a look.

The first one reported to us by customers using the Phish Alert Button (PAB) uses the very kind of social engineering scheme that we anticipated:


This email appears to be trying to exploit a very recent report in The Washington Post that Pfizer may not be able to supply additional doses of its vaccine to the United States in large volumes until sometime in Q2. Predictably enough, the link in the email body takes unwitting clickers to a credentials phish:


To be sure, the language used in the body of that malicious email is a bit stilted — definitely not the effortlessly clear prose one would expect in a professionally written email of this type. But it will do.

As it turns out, this particular phish compares quite well with one of the eight simulated phishing templates we introduced two weeks ago:


The social engineering scheme in both emails exploits some of the basic questions and concerns that users and employees will have about the several vaccines currently on the cusp of widespread distribution:

1. How soon will a vaccine be available?
2. Will it be safe?
3. How can I get it?
4. When can I get it?
5. How much will it cost?
6. Should I get it?

Put very simply, this is pretty much what we expected.


Malicious actors had a field day back in March in April as the Coronavirus washed over countries around the world. It was and still is the perfect tool for social engineering scared, confused, and even downright paranoid end users into opening the door to your organization’s network.

Nine months later, as an entirely predictable round of vaccine-themed phishing emails begins to land in your employees’ inboxes, it is high time to get your users up to speed by stepping them through New-school Security Awareness Training and testing them with the vaccine-themed simulated phishing templates already available in KMSAT.