Don’t be fooled by the Covid cons: We expose Test and Trace scam

Scammers began capitalising on coronavirus to con victims out of cash almost as soon as the disease started spreading worldwide.

Fraudsters have been knocking on our doors, infiltrating our email inboxes and telephoning us in our homes — using the fear and confusion to steal from us.

But today Money Mail can expose how a shocking security flaw at the heart of the Government’s flagship test and trace programme puts us at even greater risk of fraud. 

A scam known as spoofing allows callers to choose what number is displayed on the recipient’s phone. It means fraudsters can make it appear as if they are from the NHS

Our investigation shows how it is possible to replicate the ‘secure’ NHS phone number used in every call within just 30 seconds using a website found through a simple Google search.

The deception, known as spoofing, allows callers to choose what number is displayed on the recipient’s phone.

It means fraudsters can make it appear as if they are from the NHS — when actually they are calling from an entirely different number.

And those contacted genuinely from the official 0300 number cannot phone back to check it — because the line does not accept incoming calls. 

Fraudsters are telling victims they have been exposed to an infected person and have to pay £50 for a Covid-19 test kit

Fraudsters are telling victims they have been exposed to an infected person and have to pay £50 for a Covid-19 test kit

Using this veneer of legitimacy, criminals can target vulnerable and elderly victims, trick them into divulging personal information and then plunder their bank accounts.

Hundreds of thousands of people are expected to be contacted under the Test and Trace programme, which aims to limit the spread of coronavirus by finding those who have come into contact with someone who has become infected and telling them to isolate.

But last night, police chiefs and MPs warned that it is ‘hopelessly open to fraudsters’. On Facebook, there have already been warnings about calls being made by scammers purporting to be from NHS Test and Trace. 

Fraudsters tell victims they have been exposed to an infected person and have to pay £50 for a Covid-19 test kit.

The swindlers claim that failure to provide debit card details to pay for the test is a criminal offence. But the claims are a complete scam — all tests are free in Test and Trace.

Money Mail has previously revealed how call spoofing is an easy but devastating ploy used by scammers to pose as banks, tax officials and other government bodies to steal hundreds of millions a year from victims.

In 2018 we reported how an elderly woman lost £20,000 after taking a call from a man purporting to be from Barclays. He told the 88-year-old that fraudsters were attempting to raid her account. 

And the other corona tricks to look out for 

Doorstep danger 

Communities are being warned of a rise in criminals preying on older or vulnerable people isolated from family and friends.

Fraudsters are reportedly gaining access to homes by offering to take residents’ temperatures or to sell virus tests, masks and hand sanitiser.

National Trading Standards has also warned of criminals posing as charity workers and volunteering to do people’s shopping. The agency has urged people to be vigilant and ask for ID from anyone who claims to represent a charity.

Fake Businesses

 Fraudsters are also targeting cashstrapped businesses applying for emergency funds. Cyber-criminals send emails purporting to be from HMR C, asking firms to give out bank details in order to access the Government’s coronavirus job retention scheme.

Scammers are also posing as the police and issuing fines to businesses via email for ‘trading unlawfully’ during the pandemic.

Phishing on rise

These are emails that try to trick recipients into clicking on links that download viruses or give away passwords.

Action Fraud has flagged messages mimicking organisations such as the U.S. Centers for Disease Control and Prevention and the World Health Organization.

As world leaders announced economic stimuli to mitigate losses, reports of fake messages from HMR C offering ‘goodwill payments’ of up to £258 surfaced almost immediately. 

When schools closed, the Department for Education warned of a scam email designed to steal bank details. Councils soon began warning of a text scam trying to dupe residents into paying fake fines for breaking lockdown rules.

Holidaymakers are also told to be wary of scam websites set up to claim refunds on cancelled trips.

The Chartered Trading Standards Institute (CTSI ) flagged an email pretending to offer £500 Aldi vouchers. Action Fraud reported a similar scam in Tesco’s name. 

CTSI lead officer Katherine Hart says: ‘This kind of scam is an old one, but scammers have updated the theme to reflect the coronavirus pandemic.’

Savers targeted

Savers have been urged to avoid making rash pension decisions as criminals look to exploit fears over market turmoil. Some phishing emails have targeted investors starved of income. Others advertise ‘early access’ pension offers, according to Tom Selby of AJ Bell.

Many claim to guarantee sky-high returns. This month, the Pensions Regulator, the Financial Conduct Authority and the Money and Pensions Service issued a joint statement urging people not to make snap decisions about pensions in the crisis.

Meanwhile, Britons have been swindled out of more than £800,000 attempting to buy fake masks online, says the National Fraud Intelligence Bureau.

Criminals are also reportedly flogging potentially harmful hand sanitiser containing glutaral (or glutaraldehyde), which was banned for human use in 2014.

Miracle cure lies

Don’t sign up for virus testing kits, vaccines or miracle cures. Only the NHS is providing certified tests and there are currently no vaccines or cures.

Anyone self-isolating and running low on food or medical supplies should contact their council. Do not accept services being offered by strangers.

Government departments and health agencies will not send emails with links to click on and if you’re getting an email from an organisation you are already a member of, it will normally address you by name.

Check the source of emails and the information it is providing by going to the relevant official website — for example, the gov.uk address.

If you think you have been a victim, report it to Action Fraud (0300 123 2040). You can also tell your bank or credit card provider if you have transferred any funds by mistake.

Never hand over personal information, such as your bank details, to someone who has called you out of the blue — even if they say that they are from a legitimate organisation.

When she asked him to prove it was a genuine call, he said he would ring back using the number on the back of her card.

When he did, the real Barclays customer services number flashed up on the victim’s phone so she believed he was who he said he was and transferred the money as instructed.

Despite the easy abuse of the system, the NHS lists the 0300 number on its site and stresses that only Test and Trace staff will call from it.

How to beat the blaggers 

If you receive a call from test and trace and suspect it might be a scam, or would rather not take the risk, ask for an email or a text instead.

The message should direct you to: https://contact-tracing.phe.gov.uk/

While it is possible for criminals to fake official phone numbers, they cannot fake official website addresses.

The address bar should also have a small padlock symbol next to it, showing that the website connection is secure.

If you see a different address, close the window immediately.

Remain vigilant, however, as fraudsters sometimes buy web addresses very close to the real address to dupe victims.

Genuine tracers will be able to provide you with an account ID during the call, or it will be in a text or email sent to you.

It says information patients provide during the subsequent conversation will be held in ‘strict confidence’. 

However, West Midlands Police and Crime Commissioner, David Jamieson, says it is ‘staggering’ that the Government had made the number public so that criminals could clone it and use it.

He says: ‘It presents a serious danger to ordinary people, particularly to those who are just that little bit more vulnerable.

‘At the lowest level it’s open to pranksters and people playing tricks, and, at a more serious level, to those perpetuating hate crime or harassing people. At a very serious level, it opens the door for criminals to contact people and attempt to get very sensitive information from them.

‘It’s absolutely fraught with risk. They haven’t thought it through.’

Soon after Test and Trace’s launch late last month, warnings appeared on social media that scammers appeared to be exploiting it.

The Mail tested these concerns with a spoofing service which allows people to change their caller ID. 

The site, which we are not naming, describes itself as a tool for making prank calls, explaining: ‘You can change your caller ID, so when you call someone he sees on his caller ID display the number you selected.’

It sounds like harmless fun, but for just 75p per minute, plus an access charge, reporters were successfully able to use the site to call a mobile phone and make it look as if the call was coming from the NHS Test and Trace number.

Jenny Harries, the deputy chief medical officer, has previously insisted that people would be able to know if they were being called by Test and Trace as ‘it will be very obvious in the conversation that you have with them that they are genuine’.

But Rosie Cooper, a Labour MP and member of the Social Care Select Committee, says: ‘You wouldn’t know by just talking to someone, so you would need a number to go back to. I’m absolutely shocked by how easy it is to pretend to be from Test and Trace.

Spoofing allows callers to choose what number is displayed on the recipient's phone, meaning fraudsters can make it appear as if they are from the NHS

 Spoofing allows callers to choose what number is displayed on the recipient’s phone, meaning fraudsters can make it appear as if they are from the NHS

‘The whole system seems to be undermined by the fact that there’s no way of verifying callers. How do you know it’s genuine?’

On its website, the NHS makes clear that the Test and Trace service will not ask for bank details or payments, details of any other accounts, such as social media, or to set up a password or a PIN number over the phone — or to call a premium rate number, such as those starting 09 or 087.

But Mr Jamieson says, while correct, this advice was about 20 years out of date.

‘The fraudsters are well beyond that stage,’ he says. ‘Where they are now is offering people to click onto a website and that’s when they’ll probably invade your computer and steal your identity and possibly be able to drain your bank account within half an hour.

‘The fraudsters are far more sophisticated than the advice that is being given out by the Home Office.’ Action Fraud says that scams involving the virus have already claimed more than £5 million from victims.

In Scotland, the phone number used to call people on in its equivalent ‘Test and Protect’ strategy has not been announced publicly.

However, concerns have still been raised by consumer campaigners and Age Scotland that it could be hijacked by fraudsters who call claiming to be from the service — to obtain private information.

First Minister Nicola Sturgeon promised that the Scottish Government would take steps to ensure security.

Last year a Daily Mail investigation revealed how a gang of fake taxmen operating from India were spoofing genuine HMRC numbers to target 10,000 UK victims a day.

A Department of Health and Social Care spokesman says: ‘NHS Test and Trace is vitally important to prevent the further spread of Covid-19. We have been working with the police and the National Cyber Security Centre, who have advised on measures to keep the public safe.

‘Official NHS Test and Trace contact tracers will never ask you for financial details, PINs or passwords. They will also never visit your home.’

[email protected]

Some links in this article may be affiliate links. If you click on them we may earn a small commission. That helps us fund This Is Money, and keep it free to use. We do not write articles to promote products. We do not allow any commercial relationship to affect our editorial independence.