A Naked Security reader in the UK alerted us to a scam they received this afternoon in a text message.
The message claimed to come from the NHS, Britain’s National Health Service, which administers coronavirus vaccinations and provides free testing throughout the country:
As you probably know, PCR tests, which currently require processing in a laboratory, are considered more accurate than self-administered lateral flow tests.
Indeed, PCR tests are both advised and free in the UK if you already have coronavirus symptoms, or have been in contact with someone who’s infectious.
You can have a one-off test set sent through the mail, and post the completed test out to the lab for processing, but that adds time until you get the result – and if the test is positive but you don’t yet have any symptoms, that in turn adds time to your mandatory isolation period.
So, as you can imagine, for anyone who is self-employed but who needs to be out and about for their job – plumbers, electricians, care workers, painters and dozens of other professions – a home testing device that could reduce the time to receive a trustworthy result would be very useful.
We have no idea if such a consumer device could affordably be made, and if so whether the results could reliably and securely be validated online, but in a world in which retail companies can deliver esoteric products to your doorstep within hours and securely receive payment, in which telephones include high-resolution video cameras that can stream the images worldwide in real time, and in which private citizens can buy joyrides into space, we’re going to assume that there aren’t any insurmountable technological reasons that would make this a laughable idea.
Even better, for people who are self-employed and visit lots of other houesholds to do their jobs, is that a home testing device could allow workers to test so rapidly and reliably that they might even be able turn up at their appointments with a fresh and verifiable “COVID test pass” performed that very morning.
So you can understand why people who received the message above might have considerable interest in checking it out.
What to do?
We hope you’d spot this for a scam right away, but you can see why it was worth the while of the crooks to try it out.
After all, the UK government is an enthusiastic user of text messages for numerous purposes, including 2FA, reminders, notifications and more, so SMSes from government departments are not a rarity.
Indeed, you can’t book a coronavirus test online without providing a mobile phone number in advance, ready to receive the test results by text.
So, if you’re tempted to click through just in case, ask yourself the following questions first:
- Is the story likely? No. Test results may come by SMS, but offers of amazing new experimental medical equipment don’t!
- Does the link look likely? No. NHS links usually end NHS dot OK, wereas this one has a weird-looking dot COM address.
- Do I need to click the link at all? No. Even if the link were genuine, you should be able to ignore the link and find your own way to the right place.
We’d be happy to show you what this scam looked like if you did click through, but we’re happier still to tell you that the website currently isn’t working properly.
The domain is brand new, registered just this morning; the HTTPS web certificate was issued at 7am today; and the web server is active and accepting connections…
…but all we could coax out of it was a short list of filenames, and a page that said
(In case you’re wondering, the web page that says
Error 600 actually had a HTTP response code of 200.
Error 600 is meaningless, because there aren’t any HTTP codes above 599.)