Technical guidance about communicating the COVID-19 vaccine rollout for workplaces

CERT NZ has put together best practice technical guidance on workplaces communicating the COVID-19 vaccine process to members of staff or the public securely.

1 March 2021

Phishing emails, scam phone calls and scam texts imitate legitimate businesses. It is likely that scammers will attempt to use the COVID-19 vaccine as a way to trick people into sharing personal and financial data.

There are steps you can take to ensure any communications you circulate about the COVID-19 vaccine are secure and can be identified as trustworthy.

Email guidance
  • Make sure you send the email from your domain, or your domain appears in the email. For example, “”.
  • If you have to include a hyperlink in the email, where possible, use a short link of the webpage and base it on your website.
  • Where possible, avoid using third party URL shortener services as these capture data from users who open them.
  • Ensure your email looks professional and check any links.
  • Make sure any behavioral requests are kept simple and non-intrusive. Refer people to your website for a list of actions to take and avoid requesting sensitive documents via email.
  • Provide alternative contact channels for people to verify requests.
  • As part of the COVID-19 vaccine rollout you should never ask for people’s passwords, financial details or copies of personal identification documents.
  • If you already have an established communications platform, use this to notify people that they can expect to receive an email communication about the vaccine.
  • Configuring security controls for your business domain such as SPF, DKIM, and DMARC can help you prevent attackers from impersonating your organisation’s email addresses.

More information on these three key email security controls can be found in our preventing your email from being spoofed guide.  External Link

Preventing your email from being spoofed 

SMS guidance
  • Try not to include URLs in SMS messages
  • Where a URL is absolutely necessary, use a simple URL from your own domain. Where possible, avoid using third party URL shortener services as these capture data from users who open them.
  • Ensure URLs are consistent in ALL messaging so that people can check independently.
  • If possible, aim to send all your contacts the same link, rather than creating unique links for each person, especially if using an external click tracking or URL shortening service that capture user data.
  • If you already have an established platform to communicate with your employees or customers (newsletter, meetings, Intranet) and still plan on sending SMS messaging, use this platform to notify people that they should expect to receive an SMS notification regarding the vaccine.
  • Inform operators in advance of large scale SMS campaigns as their anti-fraud mechanisms may result in your messages being blocked.
  • If you use a third party service to send SMS messages ensure they are aware of CERT NZ’s guidelines before sending out your message.

For any further guidance on technical advice refer to CERT NZ’s website or email

If your organisation becomes aware of a COVID-19 vaccine-related scam, report it to CERT NZ here:

The Ministry of Health and Unite Against COVID are coordinating the COVID-19 vaccination rollout. You can refer to their websites for further details.

Ministry of Health External Link  

Unite Against COVID External Link