Jabs Up For Grabs: NSW’s “Secret” Vaccine Booking Website?

Update (31/8): Newer Vaccine Booking Site

I’d recommend booking using the website linked below instead of the nswhvam one as it’s easier to navigate, has faster registration, and is less of a headache to use.

https://vaccination.slhd.nsw.gov.au/

Instead of forcing you to cycle through different clinics and dates for the second dose on nswhvam, this one automatically loads the second vaccine date and lets you know if there’s appointment date/time slots available.


I’ve written about covid vaccine scams before: but now there’s a vaccine booking site for people in NSW that people claim allow them to skip the queue.

  1. Seems Sus
  2. “Secret” Vaccine Booking Website: nswhvam
  3. Seems Legit

Seems Sus(?)

With Sydney-siders facing lockdown for (at least) another month, most people are clambering to get vaccinated as soon as possible.

The info on the Service NSW states that:

Image source: ‘Book a COVID vaccination’, Service NSW Website

Clearly, info from Service NSW (arguably the most reputable government source) should be the most accurate: vaccine bookings are done via the official vaccine eligibility checker, so other websites are likely scams or phishing attempts.

As such, it’s not surprising that COVID vaccine booking websites that allow younger Australians to “skip the vaccine queue” being shared on social media are (rightfully) met with skepticism.

In July, Sydney Morning Herald reported on general confusion surrounding these links: as it turned out, “some” of these links are actually legitimate (the article fails to provide links to the apparently legitimate vaccine website(s) in question).

Scamwatch, which is run by the Australian Competition and Consumer Commission, received 108 reports mentioning COVID-19 vaccinations in June but, after investigation, 101 of those were shown to be about “legitimate” information and websites.

It is unclear how the links have become publicly accessible, but it is believed some are intended for healthcare workers and their families or other eligible groups.

Jab confusion: Genuine vaccination information mistaken for scams’, Sydney Morning Herald

Nab Your Jab: on the “Secret” Vaccine Booking Website

The vaccine booking website mentioned is this:

https://nswhvam.health.nsw.gov.au/vam

While it does end with an official ‘health.nsw.gov.au’ domain URL section, I immediately understood the skepticism once I opened the site myself.


Let’s look into the reasons why it looks suspicious:

1. Blurry NSW Government Logo Image

A blurry logo is usually indicative of a phishing website (the same applies to scam emails). The lower-resolution NSW government logo stood out: after a quick browse, I found that the main NSW health website uses a similarly blurry version:

Seems like the NSW health web devs are slacking.
Image source: https://www.health.nsw.gov.au/

In contrast, the NSW government’s COVID 19 informational site uses a distinctly higher resolution image of the logo:

Pictured: Handsome, higher resolution logo
Image source: https://www.nsw.gov.au/covid-19
2. Lack of Website Footer Navigation

The lack of consistency in the footer of the website didn’t do it any favors either: usually, anything deviating from what’s expected visually (based on other government websites) is logical cause for suspicion.

While the nswhvam website contains links to NSW health and ServiceNSW, it lacks the standardised website footer navigation panel:

nswvham vaccine booking website (left), nsw.gov.au covid 19 webpage (right)
As shown in the image comparison, the nsw.gov.au website on the right contains more site navigation links to other NSW government health pages.
3. Suspicious Domain URL

Prior to using the ‘.health.nsw.gov.au’ domain, previous links to the booking website appeared less legitimate. These included:

Source: Twitter

A suspicious domain is arguably the biggest indicator of a phishing/scam website, so it’s likely what was ringing alarms in people’s heads before the ‘health.nsw.gov.au’ URL was shared.

4. Email Confirmation Domain

Another cause for suspicion appears during the sign-up process: the verification email is sent not from a ‘health.nsw.gov.au’ or even’ .gov.au’ domain – instead, it comes from a ‘service-now.com’ domain:

Image source: Password reset email from my inbox

Seems Legit

While I’ve gone over the reasons why the website seems suspicious, I do believe there’s good reason that it is in fact legitimate. The ‘health.nsw.gov.au’ domain is the first sign of legitimacy.

The Daily Telegraph reported on nswhvam in this article (behind a paywall) includes a link to the booking portal at the end of the article. Here’s a link to the article if you don’t have a Daily Telegraph subscription. It’s unlikely that a major news outlet would link incorrectly to a scam/phishing website – especially considering it’s almost two weeks old.

In addition, earlier this week major news outlets reported on a helpful tool called covidqueue that notifies you when vaccine booking times are available for clinics of your choice. This website likewise directs you to the nswhvam booking website to sign in and make a booking when an availability pops up. (Note: the server seems overwhelmed with traffic periodically – it loaded 2 out of 5 days I tried accessing it).

I’ve also located a reddit post of people questioning the legitimacy of the site titled ‘Scam covid vaccination site?’ (questioning the link shared with the ‘powerappsportals.com’ domain. Replies to the post either agree that it seems suspicious or confirm that it is a legitimate site that they booked and confirmed with the vaccination program hotline.

I’ve made my Pfizer bookings through the site. I’ve also spoken to people who confirm that they’ve made bookings which they’ve received vaccines from.

While I have read online of people who were turned away when they turned up at their appointment due to being ineligible, it depends on the clinic as to how strict their screening process is (strict: Sydney Olympic Park, not as strict: Westmead/Blacktown).

Edit (27/8): It’s also officially linked to on the NSW health website here.

Published by Tech Neck Nick

I'm a cybersecurity major postgrad student from Sydney, Australia. Support my fight against Writer's Block.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: