So you finally got a Covid-19 vaccine. Relieved, you take a photograph of your vaccination card, showing your name and birth date and which vaccine you had, and publish it on social media.
But some experts are warning that the information on the celebratory photo might make you vulnerable to identity theft or scams.
“Unfortunately, your card has your full name and birthday on it, as well as information about where you got your vaccine,” the Better Business Bureau said last week. “If your social media privacy settings aren’t set high, you may be giving valuable information away for anyone to use.”
On Friday, the Federal Trade Commission followed suit: “You’re posting a photo of your vaccination card on social media. Please — don’t do that!” it warned bluntly. “You could be inviting identity theft.”
Scammers can sometimes figure out most digits of your Social Security number by knowing your date and place of birth, and can open new accounts in your name, claim your tax refund for themselves, and engage in other identity theft, said Maneesha Mithal, associate director of the Federal Trade Commission’s Division of Privacy and Identity Protection.
“Identity theft is like a puzzle, made up of pieces of personal information,” Ms. Mithal said. “You don’t want to hand over to identity thieves the pieces they need to complete the picture. One of those pieces is your date of birth.”
But even as experts warn to hold off on sharing your card, if you’ve noted your birthday anywhere else online — which most people probably have — it’s likely that the information you’re giving up has already been made available through other means.
Avivah Litan, a senior analyst at the research firm Gartner, said many Americans were vulnerable because of multiple data breaches.
“Basically the criminals already have pretty much everybody’s last name, first name and date of birth,” Ms. Litan said. “There have been so many hacks over the past 10 years. If all they are looking for is my name and birthday, they have it.”
How a scammer works
Scammers and identity thieves often collect information gradually, scrubbing social media posts to curate a file on a person’s life, including education, employment and vacation spots. Publishing a birth date hands over one of your most important personal tidbits.
While a name and date of birth is not all an identity thief would need in most cases to steal your identity, putting those details in plain sight makes it easier.
“Scammers are looking for whatever personal identification information they can get from you — any type of information to build a profile,” said Curtis W. Dukes, an executive vice president of the Center for Internet Security.
A scammer could exploit the anxiety over vaccine shortages or a slow distribution process by masquerading as a government official claiming to need a credit-card number to reserve another dose or booster, Mr. Dukes said.
In such a “highly charged” atmosphere of shortages, people “may fall for that and may give up their credit cards or maybe other bits of information,” he said.
Ms. Litan said: “At a minimum it will give the bad actors a jump start in knowing who got vaccinated. So they can use it for scam purposes to socially engineer me to pay them for a booster shot that I will never get, or use it for valid commercial purposes that bypass normal U.S. regulatory structures”.
A new milestone to celebrate
Exuberant teenagers publish images of their drivers licenses or learning permits. Vacationers post photographs of their travels.
The vaccination cards are now another way “we share these milestones in our lives,” said Nita A. Farahany, a professor of law and philosophy at Duke University School of Law.
But she said one concern was that the cards could be forged or replicated if vaccinated status starts to function as a commodity that gives people access to jobs, restaurants or events.
Someone who is not yet vaccinated or does not want to be could be “tempted to forge a copy from these photographs,” she said. “Or why wouldn’t an entrepreneurial scammer use the photographs to create counterfeits to sell to those who want them?”
The Better Business Bureau, in its warning, cited newspaper reports in Britain that said that fake vaccination cards were purchased on eBay for about $6.
Asked about the reports, eBay said in an emailed statement that it had blocked and removed items that make false health claims.
Building blocks for an identity
A vaccination card that has been made public could also be the springboard for elaborate social engineering or phishing ideas. Such schemes have been common during the pandemic.
Stacey Wood, a professor of psychology at Scripps College who has counseled older adults who are scam victims, cited the so-called grandparent scam, in which a person posing as a law enforcement official contacted an older adult and offered details about their grandchild, pretending to know them and saying they were in trouble and needed financial help.
“The typical consumer would not think scammers must have curated information about my life and used it to target me,” she said. “In my practice, there is so much out there right now, and this is just going to be a new thing.”
Cassie Christensen, an adviser at SecZetta, which works with organizations to manage identity risk, said people who had posted their vaccination card could open themselves up to a scammer posing as an official demanding to check their identity to inform them of medical concerns about, for example, supposed new side effects.
The scam could involve requests for more information that would help them gain access to someone’s accounts, such as a mother’s maiden name or an address.
“They also can go to LinkedIn and find out where you work,” she said. “They can call those organizations and do a legitimate password reset.”
The pandemic and its fears, she said, has created the perfect environment for that.
“This is all highly emotional stuff,” she said. “This is what hackers and phishers look for.”
To brag, use a sticker instead
“Some are posting it to say, ‘Look, I got it,” said Dr. Farahany of Duke.
But what if there were another way to say that? The Centers for Disease Control and Prevention thinks there is. As part of its campaign to raise confidence in the vaccines, it has designed templates for stickers, and many states, including Wisconsin, Georgia, Texas, Louisiana, New York and Maryland, are handing out versions of them.
Public health officials are banking on the stickers’ widespread use to have an impact on people who might be frightened of, indifferent to or simply against vaccines. The stickers could contribute to what are known as “social cascades” of behavior, similar to the way “I Voted” stickers encourage voting, experts say.
“It helps to galvanize similar behavior among other people who might be observing that,” said Dr. Tara Kirk Sell, a senior scholar at the Johns Hopkins Center for Health Security. “It is really about trying to say to others, ‘This is totally normal and it is what people do.’”
The same behavior occurs when masks are used widely, making more people feel less out of place when they wear one. “We call that ‘social proof,” Dr. Wood said. “Like ‘I did my patriotic duty, I did my civic duty.’”
Stickers also do not reveal personal data, another reason officials are encouraging their use.
In Georgia this week, the attorney general, Chris Carr, urged people to display vaccination stickers, saying he “cannot discourage them enough against the posting of their vaccination cards on social media” because of the dangers of identity theft.
Plus, “the stickers are really cool,” the F.T.C. said on Friday.
