Some members of the UK public will soon start receiving text messages and emails claiming to come from the NHS Test and Trace Service, as part of the country’s fight against the Coronavirus pandemic.
The problem is that many of them won’t know if the communication is genuine, or from a scammer.
UK Health Secretary Matt Hancock says:
“If you are contacted by NHS Test and Trace, instructing you to isolate, you must. It is your civic duty, so you avoid unknowingly spreading the virus, and you help to break the chain of transmission.”
I don’t have a problem with that. That sounds sensible.
But how should people confirm that the Test and Trace communication is genuine, rather than from a scammer or mischief-maker?
“John from Gloucester” had the same question last night, 25 minutes into the UK Government’s Covid-19 briefing:
John from Gloucester:
If I receive a call from someone who says they are from the Trace and Test scheme, telling me to self-isolate, how can I confirm that the call is genuine?Deputy Chief Medical Officer Dr Jenny Harries:
We have 25,000 tracers, if you like, available and they will start from a piece of information and it is highly unlikely with all the confidentiality around the data systems that you will be contacted inappropriately by anyone.Now I recognise that many of us will be very cautious and quite rightly so about interactions from external organisations, but individuals will make it very clear to you that they are following for a particular reason and I think it will be very obvious in the conversation that you have with them that they are genuine.
And I think it would be very evident when somebody rings you these are professionally-trained individuals and sitting over, if you like, the telephone interviews and email senders are a group of senior clinical professionals who are overseeing this for your safety.
In short, the UK Government seems to be saying that it will be obvious test and trace callers are not scammers because they’ll sound “professional.”
I’m sure that Dr Harries is extremely knowledgeable when it comes to medical matters, but from that answer she sounds terribly ill-informed about the professionalism of scammers.
Leaving aside the serious concerns that have been raised about the training that has been given to the UK’s newly-recruited army of tracers, it massively underestimates the professionalism of some organised criminals who have in the past convinced unsuspecting members of the public that they are financial institutions and utility providers.
The public has been told that when contacted by the NHS Test and Trace service they will be asked to provide personal details such as their full name, date of birth, and contact details.
If you are being contacted about a positive Coronavirus test, you will be asked for yet more information.
I have no doubt that scammers will use the disguise of the NHS Test and Trace service to steal this and further personal information from unsuspecting members of the public.
The NHS does offer some helpful tips, such as explaining that the Test and Trace service won’t ask you for any bank details or payments, or ask for details of your other online accounts, or ask you to set up a password or a PIN over the phone, or ask you to ring a premium rate number. That’s great – but I wonder how many people will remember that if they get a convincing-sounding scammer contacting them?
Furthermore, it says that text messages will come “from the NHS”, and calls from 0300 0135000.
But it’s easy for criminals to spoof an SMS text message or call to make it appear as if it’s genuine.
Finally, the service says that you’ll be directed to a website: https://contact-tracing.phe.gov.uk.
Good luck getting your Aunty to remember that that’s the legitimate site, and that the likes of contact-tracing.phe-gov.uk aren’t.
So, here are my predictions:
- Scammers will pose as the NHS Test and Trace service to steal information from members of the public on the phone, via email, and SMS text message.
- Malicious mischief-makers will pose as the NHS Test and Trace service in an attempt to disrupt others’ lives. Imagine, for instance, you want to mess with the life of a business rival or a former partner after an acrimonious split by forcing them to stay at home for an extended period of time.
- Computer security experts and some members of the UK public will warn of these dangers and will be largely ignored.
But even if the UK Government is living in cloud-cuckoo-land by their reliance on SMS text messages as a way to communicate with the public about Coronavirus, that doesn’t mean you can’t do your bit by warning friends and families about the real risks of scammers abusing the system.
To hear more discussion of this issue, make sure to listen to this episode of the “Smashing Security” podcast:
Smashing Security #181: 'Anti-cybercrime ads, tricky tracing, and a 5G Bioshield'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
Personally, for the past five years I've rigorously followed the advice given out by the CEO of a UK ISP who advised that checking the "from" address provided confidence in an email being genuine. I wonder whether the sagely advice of this CEO (whatever happened to her?) and the nonsense above are in any way related? I think we should be told.
I see what you did there. ;-)
Graham, you almost saw what I did there too as I was about to make the same point in much the same way before the previous poster beat me to it! I well remember your piece on that lamentable episode but it seems many others don't. Sadly, we still see the same basic mistakes made over and over and often by some of the biggest organisations.
The first clue that it's not genuine is that you are actually receiving a call! I have a medically-trained contact who is working on this and in 8 or 10 hours of signing into the scheme they have attempted to call 2 people, neither of whom answered, and no further work was forthcoming.
I did discuss with them how they would deal with somebody who rightly queried their legitimacy, and they would direct them to hang up and ring the 0300 number listed on https://contact-tracing.phe.gov.uk/ – sound enough advice so long as similar URLs are not bought up for nefarious purposes. I understand that the good guys and girls are buying them up and donating them which is some kind of positive news though of course NHSX should have already done this.
Of greater concern to me are the apps themselves, if these very trivial security steps are not being taken. I initially believed that they took a step in the right direction by making the code open source but have been disabused of that notion as the posted code is nearly a month old already so an early 1.0 release: https://github.com/nhsx/COVID-19-app-Android-BETA/issues/49 they have essentially taken it closed source again. Sigh…