Cybercriminals are offering to sell fake Canadian COVID-19 vaccination certificates online
Experts warn lure of fake certificates could also expose the unwary to ID theft or ransomware
As provinces and employers across Canada increase restrictions on the unvaccinated or introduce vaccine passports, cybercriminals are attempting to cash in by offering fake vaccination certificates for sale online.
Sellers are offering phoney proof-of-vaccination documents for several provinces that apparently look just like the real thing. Some of them even claim to be able to enter the data from the fake certificates into official government databases.
Prices and promises vary, according to offers viewed by CBC News on platforms like Telegram. One seller is offering fake proof-of-vaccination cards or QR codes for several provinces — including Manitoba and B.C. — for $200, payable in Bitcoin or Ethereum cryptocurrencies. They promise to deliver the fake documents within 48 hours by mail or in "just a few hours" if they're being sent electronically.
Just minutes after CBC News reached out to the seller, they sent a picture of an Ontario proof-of-vaccination form that appears to be identical to those being issued by many Ontario vaccination clinics. Photos posted online by the seller of fake proof-of-vaccination documents for B.C and Manitoba also mirror official documents.
The seller boasted that information on the bogus cards is entered in provincial databases.
Another seller claimed to be based in Montreal. His channel, which was being followed by 320,065 subscribers when it was viewed by CBC News, included offers of fake proof-of-vaccination from several jurisdictions around the world — and featured photos of an Alberta proof-of-vaccination certificate that resembles the real one.
There is no way to know how many fake vaccination documents are in circulation in Canada.
Provincial health authorities call into question sellers' claims that they can ensure the fake vaccination data is inserted into government databases.
Provinces say they're protecting their data
Marielle Tounsi, senior public affairs officer for British Columbia's ministry of health, said the province has taken steps to protect the integrity of its vaccine card by using QR codes in addition to government-issued photo ID.
"There is a review process to confirm the validity of records that are uploaded online," Tounsi said. "This helps to ensure that only valid records are recorded in the provincial system.
"Each record submission is reviewed and validated by qualified reviewers that verify the information. Any records that require additional validation are escalated for further review. Any suspicious activity from this review is referred to Information Security and would be reported to the appropriate authorities."
Manitoba's health department says data must be entered into the provincial PHIMS database by government officials, based on an individual's address and immunization record. Anyone unvaccinated in Manitoba who enters a space where vaccination is required, or attempts to, can face a fine of $1,296.
Ontario Health Ministry spokesperson Bill Campbell said more than 80 per cent of Ontario residents over 12 years old already have received two doses and will have access to a secure certificate.
"In addition to the secure watermarked certificate available for download, QR codes will be available in October," said Campbell.
Campbell didn't address the question of whether someone could enter fake vaccination data in the provincial database. He did point out that providing false or inaccurate information to a business about vaccination status could result in a ticket for $750 or a penalty of up to $100,000 and up to a year in jail.
Cyber security experts say they are seeing a sharp increase in the number of offers of fake vaccine certificates in places like Telegram and the dark web — from people who claim to be able to enter the bogus data into official databases.
Liad Mizrachi, senior researcher with Check Point Software Technologies, looked into some sellers' claims that they have access to the European Centre for Disease Prevention and Control's website of vaccinated people across Europe and can register their customers there.
"The sellers then send false documentation from a fake European Centre for Disease Prevention and Control website, which might convince unwitting border officials or venue staff that a person is genuinely registered as fully vaccinated, which is clearly not the case," Mizrachi told CBC News. "Our CPR team discovered this through a URL embedded in a QR code, which shows a link to the fake database."
Mizrachi said governments around the world should come together on a unified global database to verify legitimate vaccination certificates.
"Not only do unvaccinated people have easy and cheap access to forged documents, but those documents now appear to link to credible-looking websites, making it even easier for fraudsters to slip through the net," he said.
WATCH: Expert warns of a "dramatic uptick" in websites offering fake vaccination documents
Robert Falzon, head of engineering at Check Point Software's Canadian office, said the company first saw offers to sell fake vaccination certificates emerge in the United States but has since seen "a dramatic uptick" in such offers in Canada.
He said Canada's decentralized approach — with each province running its own proof-of-vaccination system — has created an opening for the sellers.
"From a health care perspective, we've seen a sort of patchwork approach to how each of the provinces are going to address it," he said. "And because of that, again, it's created an opening ... for various different groups across Canada to set up and specialize."
Falzon said sellers on the dark web want to maintain their reputations for delivering on the promises they make.
"The dark web marketplaces, they're just like a regular store in a lot of ways. They have reviews and they're also trying to continue to do business for other things," he said. "So you'll find people leaving reviews for drug purchases and weapons purchases and saying this person was a wonderful seller and so forth."
Using fake documents as bait
Derek Manky is the Vancouver-based chief of insights and global threat alliances at Fortinet's FortiGuard Labs, a cybersecurity firm. He said his company is also seeing attempts on the dark web to lure people with offers of fake vaccination documents, targeting different regions in different languages.
"What we're seeing on these marketplaces are a variety of services, including everything from as cheap as $5 for just selling essentially stock paper. So, fake blank vaccine passports in the U.S., as an example," he said.
"We're seeing things in Canada targeted for about $50 for harvested or stolen QR codes with people's real identity on them, saying, 'We'll give you this for cheap for $50, but you have to create your own fake ID when you're going in to verify.'"
WATCH: Expert warns of 'nefarious sites' luring the unwary with fake vaccination documents
Manky said his company has seen fake double-dose vaccine documents being offered in Canada at prices as high as $1,000 by sellers who claim the data will be entered into a national database.
Manky said cybercriminals should never be trusted and the risks involved in trying to buy fake vaccination certificates online are high.
"These are nefarious sites," Manky told CBC News. "They're phishing for information. They're trying to infect you with pieces of malware so they can hold you for ransom, as an example. It can quickly spiral out of control."
Police and health officials have reported very few cases of Canadians being caught with fake vaccination documents.
Jeff Thomson, senior RCMP intelligence analyst at the Canadian Anti-Fraud Centre, said the centre has received just four reports about false vaccination documents since July 1 — one anonymous report about a website selling fake certificates, one about fake certificates being sold on Instagram and Snapchat, one about a website selling vaccine and mask exemption paperwork and one case of a person approached on Facebook by someone with the same name asking if they were willing to sell their vaccination QR code.
If someone paid for a fake vaccination certificate and didn't receive one, they would be unlikely to file a complaint with the anti-fraud centre, Thomson said.
Tammy Jarbeau, senior media relations adviser for Health Canada and the Public Health Agency of Canada (PHAC), said that as of Sept. 14, seven fines have been issued for falsified or fraudulent COVID-19 test results and two fines have been issued for suspected falsified or fraudulent vaccination documents presented at a point of entry to Canada.
"In addition, there are many cases that are still under investigation and are awaiting outcome," Jarbeau wrote. "PHAC may also refer a case to police in the jurisdiction involved, with regard to potential criminal charges."
Jarbeau said fines have been issued in British Columbia and Ontario for falsified documents and referrals have been made to police in Ontario and Alberta.
Elizabeth Thompson can be reached at elizabeth.thompson@cbc.ca