Site navigation

Fake Vaccine and Test Certificates Pose Threat to ‘Covid Passport’ Plans

Ross Kelly


Covid Passport
With new EU travel legislation pending, concerns have been raised over the sale of fake vaccine and test certificates on the dark web.

Covid passport schemes could “unravel” unless measures are taken to combat fake vaccine and counterfeit test certificates, experts have warned.

Cybersecurity experts at Check Point Research issued the warning today amid rising concerns over the volume of fake Covid credentials being sold on the dark web.

Between March and May, Check Point research revealed a 500% increase in the number of forged certificate vendors. This increase, researchers suggested, highlights a growing demand to evade inspections and circumvent rules.

New EU legislation coming into effect in July will provide free certificates in the form of a QR code on a smartphone, or as a paper document.

These new certificates will show that a person is either vaccinated, has immunity to the virus, or has recently received a negative PCR test result.

Similarly, UK travellers who have had both vaccine doses will be able to use the NHS App as a vaccine passport and are expected to be covered under the EU scheme as a third country.

Other nations, including France and Germany, are also exploring the launch of their own Covid passport schemes. However, Check Point researchers warned that without a unified global approach to verify certificates, “fragmented rules and ambiguity” will play into the hands of hackers and fraudsters.

“We urge governments to come together and act quickly to combat the increased sales of fake certificates on Telegram and the Darknet. Without a central system, it becomes much easier for hackers and fraudsters to fall through the cracks,” said Oded Vanunu, Head of Products Vulnerability Research at Check Point Software.

According to Check Point, many customers could be people who have tested positive, refused to take a test or are unwilling to have the vaccine.

It could also be down to the exploitation of innocent users looking for information and guidance, some of whom are lured to fraudulent or suspicious domains in the belief that they are legitimate.

Travellers need to be wary of misspelled websites and only install verified apps from official sources, Vanunu explained.

Similarly, travellers should also be wary of QR codes as these can serve as a “gateway” to information stored on a device.

In some instances, hackers can replace legitimate QR codes with one that launches a malicious URL or tries to download customized malware when scanned.

This malicious code can then steal the login credentials used for other apps on the user’s phone – such as banking and retail apps – and even make payments.


“Individuals must also remember that a QR code is nothing more than a quick and convenient way to access a website link; a link that in many cases they don’t even see. It’s not possible, therefore, to be certain that the resource is legitimate, and an attack could have already started,” Vanunu said.

EU officials insist that proposed Covid passport schemes will be safe and secure. However, Vanunu emphasised that hackers will “always evolve to exploit new opportunities.”

“We strongly advise everyone to use a mobile security solution that will protect their devices and data against phishing, malicious apps and malware,” he said.

Earlier this year, the cybersecurity firm revealed that ads for fake vaccination certificates and negative test results were increasing on the dark web.

A study in January by Check Point also found that some dark web vendors were selling vaccines for as little as $500.

Ross Kelly

Staff Writer

Latest News

%d bloggers like this: