UK’s contact-tracing app targeted by scammers

Even though it is only operational on the Isle of Wight as a beta test, the UK government’s coronavirus contact-tracing app has already attracted the attention of cyber criminals

People across the UK are being targeted by scam SMS text messages linked to the government’s Covid-19 coronavirus contact-tracing app, even though the app itself is only officially available to testers on the Isle of Wight.

This is according to the Chartered Trading Standards Institute (CTSI), which has issued a warning about the fraudulent texts.

The organisation’s lead officer, Katherine Hart, told the BBC she had received such a phishing text herself, and said that people all over the country had reported getting them.

“We have witnessed a surge in Covid-19-related scams since lockdown began. This evidence is yet another example of scammers modifying their campaigns as the situation develops,” said Hart.

“I am especially concerned that scams themed around the contact-tracing app are already appearing, even though the official NHS app has only been released in a limited testing phase on the Isle of Wight.

“These texts are a way to steal personal data and may put the bank accounts of recipients at risk. If anyone receives texts or other kinds of messages like this, they should not click on any accompanying links, and report them to Action Fraud.”

The scam texts inform their recipients that they have come into contact with somebody who has tested positive for Covid-19 and directs them to a fake website that asks them to input personal details. Although the official app does contact people it will not require you to enter any personal details of this nature.

Read more about phishing

  • Of 292 websites removed since lockdown began on 23 March, 237 were proactively identified by HMRC and 55 were flagged by the public.
  • A new report highlights the brands which are being most frequently spoofed by cyber criminals in phishing attacks.
  • Follow these best practices to properly prepare for ransomware and phishing attacks, as well as further steps to stay secure in the face of a pandemic or widespread health event.

Cofense threat intelligence manager Mollie MacDougall, said the example of SMS phishing seen by CTSI was almost certainly just the tip of a much larger iceberg for threat actors abusing the contact-tracing app narrative for malicious intent. She warned that the targeting of individuals, and possibly also businesses, using the contact-tracing theme would probably increase.

“As the impacts of Covid-19 unfurl, so too do the phishing themes. Just last week we found phishing emails aimed at business, claiming that a colleague had passed away or fallen ill as a result of coronavirus, aiming to harvest users’ passwords and personal information through a malicious attachment,” said MacDougall.

“This is one of several themes related to the pandemic. Threat actors are willing to go to any psychological length to attract their victims, but it is important to exercise the utmost caution and restraint in the face of emotionally jarring emails or text messages. Be aware of the fact that phishing scams are abundant, and if something about a message seems off, remember that it very likely is.”

“This example is particularly malicious and abhorrent, given that it plays on the NHS’ new contact-tracing app, which could potentially be rolled out to a huge percentage of the UK,” she added.

The contact-tracing app currently undergoing testing is supposed to be rolled out across the rest of the country within the next month, according to health secretary Matt Hancock.

However, with the app dogged by concerns over its impact on data privacy and human rights, and growing indications that the project may be fundamentally altered in some form.

Read more on Hackers and cybercrime prevention