Beware of COVID Pass scams

Beware of COVID Pass scams

You’ve likely seen fake parcel delivery texts in the news recently, and we’ve covered a few of these ourselves. SMS missives claim a package is waiting to be delivered, and a small processing fee is required. There is no package; it’s a ruse to have people hand over their credit card details. It’s been wildly successful during lockdown, at a time when many are having to order almost everything they can online.

This isn’t the only bogus SMS message doing the rounds, however. COVID-19 is proving to be a a crucial piece of bait for this kind of tactic as we’ll see below.

The road to a (non-existent) COVID Pass

This attack is aimed at residents of the UK. It makes use of social engineering in a similar fashion to other pandemic-themed SMS texts, with a strong psychological aspect tied in for good measure.

This one works as follows:

  1. SMS messages are sent to unsuspecting individuals.
  2. The linked site is HTTPs, to give that added sheen of “this is the real website, because it’s got a padlock”. Hopefully you know that a padlock does not mean you can trust a website, many don’t.
  3. The site design imitates the usual look and feel of NHS websites, specifically those related to COVID-19. Here’s an example of the real thing.
  4. The scammers ask for a lot of details across multiple pages, beginning with “the exact name used when you registered with your GP surgery”. From there, they ask for date of birth, post code, and an address where they can deliver “your Covid pass credentials to be registered on our NHS app”. After this, they request “a payment of £4.99 to process your Covid Pass application”.

This doesn’t get a free pass to your bank account

It’s important to note that the UK does have an actual Covid Pass system in place. There’s a proper process in place, and it doesn’t involve handing money over to random websites. It’s also worth noting there’s been a number of other scams along these same lines.

Should you receive one of these text messages, you can safely ignore it and report for spam while you’re at it.