Industry experts warn of new Covid-19 scams including NHS Test & Trace scheme exploit

News by Andrew McCorkell

Cyber professionals are warning of new scams such as an SMS-phishing attack that tells people that they have been in contact with someone who has COVID-19.

Among a swathe of Covid-19 online scams an SMS-phishing attack has been used to fake text messages -  typically to link to a malicious site and ask a person to share personal information that can be used to commit identity fraud.  

An example of such a text message has been posted on Twitter.

The NHS has written specific guidelines on how they will contact people in the Test & Trace scheme.

Ben Tuckwell, district manager UK & Ireland at RSA Security said: “Fraudsters are known to thrive in times of crisis. With millions of people around the country working from home, in many cases distracted by young children, the truth is that they are sitting ducks for clever and timely phishing attacks.

“This particular smishing (SMS-phishing) attack makes great use of social engineering by exploiting the fact the track and trace services are making headlines and there is a generally heightened sense of fear; in all likelihood, at least some people will be fooled into thinking that the text message is legitimate.

"Consumers can protect themselves by acting smart and pausing to consider each communication they receive while remembering the three key smishing don’ts – don’t respond to texts from unknown or unusual numbers; don’t click on any links in text messages, and don’t share any banking information, usernames or passwords or other personal details after receiving a text message, unless you can verify who you are speaking with.”

With the manual track-and-trace high on the current coronavirus dominated news agenda, questions remain about the NHS contact tracing app, with many are worried about the cybersecurity risks it may pose.

David Shepherd, area VP at Ivanti, says that users must be educated on how cybercriminals may take advantage of the release of the app, using phishing and smishing campaigns.

He said: “Technology has played a large part in every stage of the country’s Covid-19 response so far. From video conferencing apps, which have enabled businesses to operate with a distributed workforce and allowed families and friends to stay in touch during these trying times, to the new focus on contact tracing technologies, which are like likely to be crucial in safeguarding people as the economy reopens and employees return to work.

“This pandemic has already seen a resurgence of fake news and an increase in cybercrime, with cybercriminals seeking to take advantage of the rise of certain technologies – look at the ‘Zoombombing’ phenomenon.

"And there are now fears cybercriminals will run phishing and smishing (phishing via SMS) campaigns using the guise of the NHS contact tracing process, with the app due to be released in June.

"Malicious actors may be able to lure unsuspecting people into handing over their credentials or payment information, under the pretence that they are downloading the official app or finding out information about it."

Meanwhile, with fraud victims losing an estimated £4.6 million to coronavirus-related scams, hackers are using the pandemic to take advantage of new online habits.

Kunal Anand, chief technology officer at Imperva shared advice on how individuals can mitigate future coronavirus-related scams and ensure their privacy is upheld.

He said: “With the majority of the UK still in lockdown and working from home, it is unsurprising to hear of the increased number of attacks which has sadly been put into perspective by the news that more than 2,000 victims have lost £4.6 million collectively to coronavirus-related scams.

"Now that we’re spending more time at home and online, we’re constantly receiving emails from our “family members” to click on a ‘funny’ video or from our “banks” letting us know their new policy updates.

"But what we need to remember is that our self-isolation during Covid-19 is actually supplying hackers with the opportunity to take advantage of our increasing online habits. 

"Some of the most effective methods to combat against attacks including spreading malware, such as spear phishing include setting up two-factor authentication, enforcing strict password management policies, and educating people on phishing and cyber threats."

Anand added that it is vital that we spread awareness, remind users to be sure that what they’re reading is what they think it is, and ultimately, to never click on a link that they don’t recognise. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews