What the NHS Test and Trace scheme could learn from banks about stopping scams

Graham Cluley
@gcluley

I’m concerned that fraudsters will disguise themselves as the NHS Test and Trace Service, and trick people into giving over sensitive personal information – and maybe even some money.

The Government’s top medical advisers, however, seem to think that it will be obvious if a caller is a scammer or not, because scammers won’t sound “professional”.

Obviously that’s a ridiculous claim, and could give the public a false sense of confidence.

Sign up to our newsletter
Security news, advice, and tips.

So how could we better protect people from giving information in response to fraudulent SMS texts and phone calls? How could we stop them visiting a bogus link that pretends to be the NHS Test and Trace site, but is really intent on scooping up their data?

Well, maybe Coronavirus test and trace schemes could learn something from banks.

Banks don’t just keep an eye open for phishing sites posing as their domains. They also give you a bank card, and on the back of it is a phone number you can ring if you ever need to speak with them.

That way, if someone rings you up out of the blue claiming to be your bank you can say “thank you very much, I’ll call the bank to confirm you’re not a fraudster”.

One of the things – aside from using advertising and publicity – the UK Government could have done is write to every household, giving each home a card that we could stick up in the kitchen (next to the Barnard Castle fridge magnet) telling us the name of the real website to visit and a phone number we could call if we are contacted by a tracer.

It doesn’t stop fraud 100%. Some people still wouldn’t go to the legitimate website, or would be socially engineered into giving their details to fraudsters posing as the NHS Test and Trace scheme.

But it’s probably a better way of ensuring everybody in the country has the correct information about what to do – if they receive a call from a supposed Covid-19 tracer – than anything else the Government is currently doing.

To hear more discussion of this issue, make sure to listen to this episode of the “Smashing Security” podcast:

Smashing Security #181: 'Anti-cybercrime ads, tricky tracing, and a 5G Bioshield'

Your browser does not support this audio element. https://aphid.fireside.fm/d/1437767933/dd3252a8-95c3-41f8-a8a0-9d5d2f9e0bc6/2ef029da-dfb4-4124-afbc-0562191763b3.mp3

Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
More episodes...

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 comments on “What the NHS Test and Trace scheme could learn from banks about stopping scams”

  1. Already happening, this was posted on LinkedIn yesterday-

    This was sent to a vulnerable and shielding friend:
    ‘Good morning, I'm calling from the NHS track and trace service. According to our system, you are likely to have been in close proximity to someone who has tested positive for COVID-19. This means that you now need to self-isolate for 7 days and take a COVID-19 test.' 'OK. Can you tell me who that person was?' 'I'm not able to tell you that. That is confidential information.' 'Right. Um… so ….' 'But you do need to be tested within the next 72 hours. So can I just get the best mailing address so that we can send a kit to you?' 'Ok (gives address)' 'Thank you – and I just need to take a payment card so that we can finalise this and send the kit to you.' 'Sorry – a payment card? I though this was all free?''No – I'm afraid not. There is a one-off fee of £500 for the kit, and test results. Could you read off the long card number for me, please, when you're ready.' 'No – that's not right. This is part of the NHS so there's no charge.' 'I'm afraid there is. Can you give me the card number please – this is very important, and there are penalties for not complying.' Puts phone down.
    **This is how scammers work. And vulnerable people will fall for it.** **Don't fall for it…!*

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.