Some members of the UK public will soon start receiving text messages and emails claiming to come from the NHS Test and Trace Service, as part of the country’s fight against the Coronavirus pandemic.
The problem is that many of them won’t know if the communication is genuine, or from a scammer.
UK Health Secretary Matt Hancock says:
“If you are contacted by NHS Test and Trace, instructing you to isolate, you must. It is your civic duty, so you avoid unknowingly spreading the virus, and you help to break the chain of transmission.”
I don’t have a problem with that. That sounds sensible.
But how should people confirm that the Test and Trace communication is genuine, rather than from a scammer or mischief-maker?
“John from Gloucester” had the same question last night, 25 minutes into the UK Government’s Covid-19 briefing:
John from Gloucester:
If I receive a call from someone who says they are from the Trace and Test scheme, telling me to self-isolate, how can I confirm that the call is genuine?
Deputy Chief Medical Officer Dr Jenny Harries:
We have 25,000 tracers, if you like, available and they will start from a piece of information and it is highly unlikely with all the confidentiality around the data systems that you will be contacted inappropriately by anyone.
Now I recognise that many of us will be very cautious and quite rightly so about interactions from external organisations, but individuals will make it very clear to you that they are following for a particular reason and I think it will be very obvious in the conversation that you have with them that they are genuine.
And I think it would be very evident when somebody rings you these are professionally-trained individuals and sitting over, if you like, the telephone interviews and email senders are a group of senior clinical professionals who are overseeing this for your safety.
In short, the UK Government seems to be saying that it will be obvious test and trace callers are not scammers because they’ll sound “professional.”
I’m sure that Dr Harries is extremely knowledgeable when it comes to medical matters, but from that answer she sounds terribly ill-informed about the professionalism of scammers.
Leaving aside the serious concerns that have been raised about the training that has been given to the UK’s newly-recruited army of tracers, it massively underestimates the professionalism of some organised criminals who have in the past convinced unsuspecting members of the public that they are financial institutions and utility providers.
The public has been told that when contacted by the NHS Test and Trace service they will be asked to provide personal details such as their full name, date of birth, and contact details.
If you are being contacted about a positive Coronavirus test, you will be asked for yet more information.
I have no doubt that scammers will use the disguise of the NHS Test and Trace service to steal this and further personal information from unsuspecting members of the public.
The NHS does offer some helpful tips, such as explaining that the Test and Trace service won’t ask you for any bank details or payments, or ask for details of your other online accounts, or ask you to set up a password or a PIN over the phone, or ask you to ring a premium rate number. That’s great – but I wonder how many people will remember that if they get a convincing-sounding scammer contacting them?
Furthermore, it says that text messages will come “from the NHS”, and calls from 0300 0135000.
But it’s easy for criminals to spoof an SMS text message or call to make it appear as if it’s genuine.
Finally, the service says that you’ll be directed to a website: https://contact-tracing.phe.gov.uk.
Good luck getting your Aunty to remember that that’s the legitimate site, and that the likes of contact-tracing.phe-gov.uk aren’t.
So, here are my predictions:
- Scammers will pose as the NHS Test and Trace service to steal information from members of the public on the phone, via email, and SMS text message.
- Malicious mischief-makers will pose as the NHS Test and Trace service in an attempt to disrupt others’ lives. Imagine, for instance, you want to mess with the life of a business rival or a former partner after an acrimonious split by forcing them to stay at home for an extended period of time.
- Computer security experts and some members of the UK public will warn of these dangers and will be largely ignored.
But even if the UK Government is living in cloud-cuckoo-land by their reliance on SMS text messages as a way to communicate with the public about Coronavirus, that doesn’t mean you can’t do your bit by warning friends and families about the real risks of scammers abusing the system.
To hear more discussion of this issue, make sure to listen to this episode of the “Smashing Security” podcast:
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.