Phishing scam hooked into NHS contact-tracing app detected

The UK government is trialling its contact-tracing app on the Isle of Wight, with a view to rolling it out nationwide in the coming weeks. A coronavirus contact-tracing app keeps a record of people the user has been in close contact with, alerting the user if one of their recent contacts has tested positive for Covid-19, thus potentially exposing them to infection.

The UK’s app is unusual - and controversial - on account of the storage and processing of data taking place on a centralised server, rather than directly on users’ phones, as is the case with the more popular decentralised approach being adopted by other European countries.

Although the app is currently only being used by fewer than 100,000 people, evidence has already emerged of a phishing scam themed around the app. Phishing involves sending emails, texts or other messages mimicking a reputable sender to induce the target individual to reveal sensitive personal information, such as credit card or bank details.

Some members of the public have received SMS messages informing them that they may have been exposed to infection. The text reads: “Someone who came in contact with you tested positive or has shown symptoms for Covid-19 & recommends you self-isolate/get tested.”

The message then includes a URL for a website which demands personal details from the user; these could be used to gain access to bank accounts or commit other forms of identity fraud.

Scammers have been exploiting the coronavirus pandemic in a variety of ways, with Action Fraud reporting that Covid-19 themed scams have stolen at least £2m since March. The National Cyber Security Centre reported that it received over 160,000 reports of suspicious emails within two weeks of launching a new scam-busting service, many of which were Covid-19 related.

There are fears that more scams themed around the contact-tracing app will appear once the app is released nationally.

“We have witnessed a surge in Covid-19 related scams since lockdown began,” said Katherine Hart, CTSI lead officer. “This evidence is yet another example of scammers modifying their campaigns as the situation develops.

“I am especially concerned that scams themed around the contact-tracing app are already appearing, even though the official NHS app has only been released in a limited testing phase on the Isle of Wight.

“These texts are a way to steal personal data and may put the bank accounts of recipients at risk. If anyone receives texts or other kinds of messages like this, they should not click on any accompanying links and report them to Action Fraud.”