The dynamic nature of an international pandemic such as COVID-19 carries inherent security risks for governments, businesses and individuals. These security risks are not only related to direct health and economic impacts, but also include the impacts that can arise from increased vulnerabilities to crimes such as fraud during such times.
Early in the COVID-19 pandemic, there were significant concerns from governments and health authorities regarding the security and integrity of COVID-19 vaccinations, even before such vaccines had been approved for use. Chief among these concerns was whether organised crime groups would create a market for illicit or fake vaccines, or undertake fraud using peoples' uncertainty or desire for vaccines as the 'bait'. There were additional concerns as to whether anti-vaccination groups may seek to impact the rollout of a COVID-19 vaccination program.
To investigate these issues, the Parliamentary Joint Committee on Law Enforcement (committee) referred this inquiry on 17 March 2021 to inquire into and report on COVID-19 vaccine related fraud and security risks. This inquiry is intended to focus on the fraud and security risks that specifically arise or relate to COVID‑19 vaccinations only, given the committee recently finalised its inquiry into broader crime trends during the pandemic, as outlined in greater detail later in this chapter.
The types of fraud the committee was concerned would arise, and other issues of interest prompting this inquiry, were:
phone and internet communications using people's COVID-19 related concerns to conduct fraud;
fraudulent vaccination certificates;
the physical safety of COVID-19 vaccines; and
Australian Government assistance being given to Pacific nations in relation to the above issues.
The committee is also concerned with fraudulent information regarding COVID-19 vaccines that is being promoted by various individuals and interest groups, as that misinformation is having a measurable impact on law enforcement. These individual fraud and security issues are discussed in detail in Chapter two.
The committee's finding to date from this inquiry is that concerns regarding fraud and security risks relating to the vaccination rollout have not yet manifested to the degree some anticipated.
However, there remain serious ongoing concerns regarding risks of future fraudulent behaviour in relation to vaccination certificates, particularly as there is a gradual normalisation of pre-COVID domestic social and economic activity that will rely on vaccination rates instead of measures such as lockdowns and facemasks, as well as the future resumption of international travel.
Due to such concerns regarding potential future fraudulent behaviour relating to the COVID-19 vaccination status of individuals, which cannot be properly predicted at this point, the committee has resolved to present its current findings in this interim report, while keeping a watching brief over the issue. A final report is intended to be published by February 2021, when the committee has reviewed the fraud and security risks that may arise if a system for proving vaccination status is rolled out by the Australian Government.
In addition to the committee's recently completed inquiry into broader crime trends during the pandemic, outlined later in this chapter, the committee is also very conscious that there was a marked increase in online child sexual exploitation during the pandemic. Such exploitation, among the most serious and heinous of all crime types, is being addressed by this committee in another current inquiry: Law enforcement capabilities in relation to child exploitation, which was referred on 16 June 2021.
Other relevant inquiry reports
The broad impacts of the pandemic have already been greatly scrutinised, in particular by the Senate Select Committee on COVID-19. However, inquiries to date have largely focused on the health, social and economic impacts of the pandemic.
To ensure the security and crime impacts of the pandemic were also properly investigated and better understood, in June 2020 this committee commenced an inquiry into trends and changes in criminal activity related to the pandemic and law enforcement responses (COVID-19 crime inquiry). The committee completed its inquiry and presented its final report in June 2021. That inquiry report comprehensively discussed crime trends—including organised crime and fraud—resulting from the pandemic and the measures taken to combat it.
As the evidence from that inquiry was largely gathered before Australia's vaccination program was underway, the committee referred this inquiry on 17 March 2021 to 'inquire into and report on vaccine related fraud and security risks'. This inquiry is intended to focus on the fraud and security risks that specifically arise or relate to COVID-19 vaccinations only, and this interim report should be read in conjunction with the report of this committee's COVID-19 crime inquiry. The committee acknowledges that this is a rapidly changing environment, particularly in relation to the issue of proof of vaccination status.
Anticipated fraud and security risks
Fraud costs victims billions of dollars globally each year. The Australian Competition and Consumer Commission (ACCC) reported Australian losses of over $634 million in 2019, and this amount is expected to rise with the release of 2020 statistics.
Early in the pandemic, there was a great deal of concern for the security and integrity of COVID-19 vaccines. As outlined in the committee's recent COVID‑19 crime report, the United Nations Office on Drugs and Crime (UNODC) 'predicted that COVID-19 vaccines could be exposed to falsification and trafficking.' The COVID-19 crime report also highlighted evidence that organised crime groups 'might also be attracted to producing and selling false or illicitly obtained medical or [personal protective equipment] products, as the penalties for these activities are less severe than those associated with the manufacture and distribution of illicit drugs’.
Dr John Coyne, an expert in responses to organised crime and drug trafficking, also advised the committee during the COVID-19 crime inquiry that 'law enforcement needs upskilling to achieve an understanding of legitimate flows of pharmaceutical products,' and that while Australia has strong border controls, 'law enforcement may need more resourcing to assist in the investigation of illegitimate vaccines as a priority’.
However, it must be noted that the majority of evidence received by the committee for the COVID-19 crime inquiry was in July–August 2020. The evidence to this current inquiry was received in April–May 2021, when the landscape regarding COVID-19 vaccinations had significantly shifted.
Evidence to this inquiry has outlined that the impacts of the pandemic—such as people working from home, being increasingly online and feeling vulnerable and isolated—have increased both individuals' and businesses' susceptibility to fraud. The Cyber Security Cooperative Research Centre (Cyber Security Centre) submitted that COVID-19 has 'dramatically impacted the way we live and work,' and in the 'mass migration to working-from-home conditions, many workers and organisations have found themselves with less-than-optimal cyber security protections and inadequate cyber awareness’.
The Attorney-General's Department noted that there is an increased risk of fraud during the COVID-19 pandemic, due to the complex and time‑critical nature of government responses, and because the vaccination program is relevant to all Australians.
The committee heard that this vulnerability to fraud is exacerbated by the pharmaceutical and health care sectors working in an increasingly digitised environment, where 'cyber security incidents are becoming more common, from attempts to steal data and intellectual property, to preventing relevant computers or networks from operating’.
The Department of Home Affairs (Home Affairs) submitted that criminals would take advantage of community concerns regarding the pandemic in their fraud and scam activities. Home Affairs further submitted that the potential for fraud accompanying the release of COVID-19 vaccines could be 'the most significant criminal issue associated with COVID-19 to impact Australia over the next 24 months'.
The Australian National University, School of Regulation & Global Governance, similarly submitted that crime groups exploit supply shortages and widespread fear of COVID-19 as a general template for fraud and other deceptions, including scamming online government relief measures and payments.
Fraud is not just an issue for individuals and businesses through the risk of losing money. The Attorney-General's Department submitted that fraud can also undermine the efforts of governments to respond quickly in crisis and emergency response situations, highlighting the need for an effective and swift response to fraud risks from governments. The department also observed that fraud can also 'reduce the public’s confidence in genuine communications from governments and health practitioners, potentially leading them to disregard advice about vaccine availability and appointments’.
The Attorney-General's Department further noted that 'if fraud happens in an uncontrolled manner, it could have significant impacts, such as increasing the cost of the rollout or undermining confidence in the vaccines and Australia’s vaccination program'.
The Cyber Security Centre informed the committee that the ability of cyber criminals to adapt to amorphous environments was shown by the rise of COVID-19 vaccine related cyber threats as nations pivoted to vaccine rollouts, and predicted these 'are likely to escalate, morph and mutate as the pandemic continues and the world becomes ever more digitally interconnected'.
Fraud experienced under pandemic
The committee's COVID-19 crime inquiry report found there was 'conflicting evidence regarding the extent to which cybercrime activity increased during the COVID-19 pandemic'. For example, Home Affairs stated cybercrime increased modestly, while the Cyber Security Centre stated there had been an exponential rise in cyber activity.
The Cyber Security Centre submitted similar evidence to this inquiry, that '[i]ndividually and collectively, citizens around the world are now facing a greater volume and range of cyber threats' and that during the first COVID-19 lockdown period in 2020, 'Australia witnessed an exponential rise in cyber activity by malicious cyber actors, with the Australian Cyber Security Centre noting in 2020 they had fielded almost 60,000 reports from Australian individuals and organisations purporting instances of cybercrime'.
The ACCC received reports of scams related to COVID-19 as early as 27 January 2020, with scammers taking advantage of Australian's fears through phishing, selling false products and other types of scams. The Cyber Security Centre submitted that the ACCC has found 'that since the beginning of the pandemic, there have been more than $9,800,000 AUD in reported losses’.
However, the committee received evidence to the COVID-19 crime inquiry that increases in fraud have also been driven by issues unrelated to the pandemic. The COVID-19 crime inquiry report quoted the Australian Signals Directorate and Australian Federal Police (AFP) as advising that 'advancement and innovation over the last decade was already leading to increased digital adoption and cyber-attacks…deception, theft, corruption, fraud, blackmail, money‑laundering, phishing, and scams were already rising around the world, and the pandemic has only exacerbated this trend’.
Evidence to this inquiry has suggested that, despite the increased instances of fraud during the pandemic, fraud has thus far tended not to use the vaccination program as a vulnerability point. The ACCC noted it had 'continued to see a substantial volume of COVID-19 themes in scams so far in 2021, but a very limited number relate to vaccinations’. The ACCC submitted the instances of fraud relating to vaccines included:
Between 1 January 2021 and 9 April 2021, Scamwatch received 793 reports mentioning COVID-19 with $2.4 million in reported losses.
By comparison, only 58 of these 793 reports mentioned COVID-19 vaccines or vaccinations, with no reported financial losses. Of the 58 reports 6 reporters advised that they gave personal information to the scammer. A further 4 reporters advised that they gave personal information however these reports were all legitimate government or medical centre contacts.
The ACCC advised that common examples of COVID-19 related scams include:
text, social media posts and emails with misinformation about the coronavirus;
investment scams claiming coronavirus has created new opportunities to make money or to invest in COVID-19 vaccinations; and
survey and research scams offering a reward for participation in research or survey about the vaccine.
Home Affairs advised that the organised crime threat related to the COVID-19 vaccine rollout was significantly reduced in Australia because of the no-cost nature of the government vaccine program, and submitted that the 'impact of organised criminal activity associated with COVID-19 vaccines in Australia is likely to be limited to scam attempts and small-scale black market activity. Home Affairs further advised that international experience suggests that while criminal groups will try to exploit the vaccine rollout, 'this is likely to be on a small or individual scale'.
The Attorney-General's Department noted that:
Australia has not seen significant scam and fraud activity related to the COVID-19 vaccination roll-out. This is a positive trend we would like to see continued to maintain confidence in the vaccination program.
The Northern Territory Government also noted it had not experienced the anticipated levels of fraud, and informed the committee that 'no reports of COVID-related telecommunication or internet fraud have been received in the Territory'.
Government countermeasures for fraud
The committee was informed of a number of existing initiatives, programs and working groups that address fraud and security risks more broadly, that were also relevant to the kinds of fraud risks that arose as a result of the pandemic. The committee was also informed of instances where those existing programs pivoted to address COVID-19 related risks, or where new programs or taskforces were set up to target COVID-19 specific crimes, including fraud and other criminal activities. The existence of these initiatives, which pre-date the pandemic, is likely a significant contributor to the relatively low rate of COVID-19 related fraud that has, to date, been actually experienced as opposed to anticipated.
The following section will discuss some pre-existing Australian Government measures to address fraud, and how those measures were already relevant to, or adapted to address, COVID-19 related fraud and security risks. This is not an exhaustive list of all the measures taken by the Australian Government to tackle fraud and cyber security, but is meant to briefly outline some of the key existing measures. New measures introduced specifically to counter COVID-19 related fraud are discussed in chapter two. Some broader measures were also discussed in this committee’s report into the COVID-19 crime inquiry.
The Criminal Justice Law Enforcement Forum (CJLEF) consists of the heads of 17 Commonwealth agencies and was established by Home Affairs in 2017–18, to ensure the agency is 'bringing together the Commonwealth’s collective capabilities to bear against capable and well-resourced organised crime syndicates'. Home Affairs submitted that under the pandemic, the CJLEF 'is driving an integrated response to COVID-19 criminality' to 'better coordinate public messaging for greater public confidence in the vaccine program, and reduce opportunities for scam and fraud activity'.
The Attorney General's Department manages the Commonwealth Fraud Prevention Centre, which has pivoted during the pandemic to undertake work to prevent COVID-19 related crime. The Commonwealth Fraud Prevention Centre, together with the AFP and the Department of Health, assists in the 'design and implementation of Australia’s COVID-19 vaccination rollout to provide information about fraud threats identified internationally and discuss strategies to assess and mitigate those threats in Australia'.
The Attorney-General's Department also informed the committee of broader anti-fraud work being undertaken by that agency to counter fraud risks in the Australian community, which are relevant to fraud experienced during the pandemic:
A key first step to countering fraud is undertaking fraud risk assessments. A detailed, fraud-focused assessment provides relevant public officials with a better understanding of fraud risks and highlights any limitations in existing countermeasures. A fraud risk assessment also helps officials make decisions about how to mitigate fraud risks and where to focus post‑event assurance activities.
[The Attorney-General's Department], through the [Commonwealth Fraud Prevention Centre], has published leading practice guidance on fraud risk assessments on its website, CounterFraud.gov.au. These assessments have evolved significantly over recent years, and can lay the groundwork for additional improvements, such as improved data collection, collaboration, information sharing, data analytics and countermeasures that can be scaled across different measures and programs.
The Australian Cyber Security Centre is based within the Australian Signals Directorate and leads the Australian Government’s efforts to improve cyber security. It provides advice and information about how to protect individuals and businesses online, works collaboratively to investigate and develop solutions to cyber security threats and works with law enforcement authorities to fight cybercrime.
Working closely with the Australian Cyber Security Centre, the Department of Health is undertaking measures to deal with vaccine fraud risks, including potential cyber issues. The Therapeutic Goods Administration has also been working on measures to mitigate the risk of counterfeit vaccines.
Home Affairs is the lead agency responsible for implementing Australia’s recently announced Cyber Security Strategy 2020, and is 'developing a new national framework on measures to detect, deter, prevent, respond and recover from the harms caused by both cyber-dependent and cyber-enabled cybercrime' and is also exploring new opportunities for collaboration with the National Australia Bank via a new working group.
Home Affairs informed the committee that initiatives developed under this broader cyber security program will be relevant to COVID-19 related crime but were not created to address only the crimes that arose under the pandemic.
One Home Affairs initiative is the national identity-matching services, including the Document Verification Service and Face Matching Services, which provide a fast, secure, online check of identity information against government identity records, which is a valuable tool in combatting identity fraud.
Home Affairs noted the Identity-matching Services Bill 2019 will make driver's licence images matchable for the first time, improving the capability of the Commonwealth, State and Territory agencies to share identity information for verification and identification purposes in support of fraud prevention, law enforcement, national security, and service delivery outcomes. This bill is currently before Parliament.
Additionally, Home Affairs has engaged IDCARE to 'ensure Australian victims of identity scams and cyber-crimes have the specialist support they need to recover from and minimise the impact of these incidents’.
The AFP advised that under the Cyber Security Strategy 2020, it had been funded for $89.9 million in relation to cybercrime, and also discussed the new collaboration with the National Australia Bank 'to help us identify the scope and scale of what they're seeing' and described it as 'a really fruitful partnership for us, not just a relationship'.
The AFP has a range of other measures that are relevant to COVID-19 related crimes. Operation Ashiba is an AFP-led multi-agency taskforce 'established to support and contribute to whole‐of‐government efforts to combat serious and organised crime exploiting Commonwealth funded programs'. Operation Ashiba now auspices the temporary COVID-19 Counter Fraud Taskforce that focuses on fraud against COVID-19 economic stimulus measures.
To progress goals of the COVID-19 Counter Fraud Taskforce, the AFP established Taskforce Iris, comprised of two dedicated investigation strike teams in Melbourne and Sydney, with additional investigations teams to provide support across the country as needed.
In March 2020, the AFP established Operation PROTECT to coordinate the AFP's involvement in the whole-of-government response to the pandemic, with a 24/7 Incident Coordination Centre located at AFP Headquarters in Canberra and Major Incident Rooms in all AFP regional offices.
In the same month, the AFP also established the Joint Intelligence Group (JIG) as the central point of intelligence for Operation PROTECT. The JIG monitors and shares information on crime trends and potential risks among its members, which includes international partners and Australian law enforcement and intelligence agencies, such as Australian Transaction Reports and Analysis Centre (AUSTRAC), Australian Criminal Intelligence Commission (ACIC) and Australian Border Force (ABF) and all state and territory police forces.
The ACCC's Scamwatch service has monitored scams throughout the pandemic. The service allows consumers to report scams, which the ACCC then monitors to understand and raise public awareness of scams trends. The ACCC also undertakes intelligence sharing and disruption activities.
International collaborative groups have also pivoted to address COVID-19 related risks. Via the International Public Sector Fraud Forum, the Attorney‑General's Department has shared information on fraud threats and incidents during the COVID-19 pandemic response with international counterparts from the UK, US, New Zealand and Canada, as well as leading counter fraud approaches.
Chapter two will discuss new measures introduced specifically to counter COVID-19 related fraud, focused only on the measures that are relevant to vaccine related fraud.
Conduct of this inquiry
The committee referred this inquiry on 17 March 2021 into vaccine related fraud and security risks, pursuant to subsection 7(1) of the Parliamentary Joint Committee on Law Enforcement Act 2010.
The terms of reference for the inquiry required the committee to inquire into and report on vaccine related fraud and security risks, with particular reference to:
Telecommunications and internet fraud relating to COVID vaccinations;
Criminal activity around the supply of fake vaccines, black market vaccines and/or fake vaccine certifications and the acquisition of certificates;
Risks to Australia regarding fraud and integrity of COVID vaccines in South Pacific nations and support for these nations to address issues relating to fraud and integrity risks;
Physical security in the production, transport and supply of COVID vaccines in Australia;
Measures to prevent and protect against COVID vaccine-related fraud and security risks;
The committee received 14 submissions. A list of public submissions, together with other information authorised for publication is provided at Appendix 1.
The committee has not held a public hearing for this inquiry prior to publishing this interim report.
The evidence submitted from law enforcement agencies advised that, on the whole, the anticipated spike in fraud connected to the COVID-19 vaccine rollout has not, at least to date, occurred in Australia. As such, the committee did not hold public hearings to assist in drafting this interim report. However, public hearings may be held at a future date to seek further evidence for the final report of this inquiry.
The committee thanks the individuals and organisations that made submissions to the inquiry to date.
As noted earlier in this chapter, a final report is intended to be published by February 2022, after the committee has reviewed the fraud and security risks that may arise if a system for proving vaccination status is rolled out by the Australian Government.