#COVID19 Test and Trace Could Lead to Phishing Deluge

Security experts are warning of a potential deluge of mobile SMS-based phishing attacks as the UK’s Test and Trace service launches to diminish a potential second wave of COVID-19 infections.

The government scheme will involve having contact tracers reach out via email, text or telephone to those they believe to have been in contact with someone who has the virus, asking them to self-isolate.

According to the NHS, those who have been contacted this way “will not be asked to provide any passwords, bank account details or PIN numbers”, nor must they download anything. However, they may need to submit their full name, date of birth, sex, NHS number, home postcode and house number, telephone number and email address. This information will be more than enough to craft highly effective follow-on attacks and identity fraud.

Therefore, there are fears that those who are older and more vulnerable may still find themselves tricked into handing over their information or knowingly download malware. Experts are already warning of unsolicited text messages claiming that the recipient may have had contact with a patient, urging them to click through a malicious link for more information.

One UK-based social engineering company, The AntiSocial Engineer, discussed how easy it is to register a convincing fake domain and spoof Sender IDs to launch an SMS phishing campaign.

“We have closely followed SMS-based scams since our company was founded and sadly many contributing factors seem to be exacerbating text message fraud. One key trend is that email security is getting better and it’s harder for criminals to reach the inboxes and conduct phishing scams,” he explained.

“SMS is the perfect solution to this problem as only the bare minimum is being done in this sector to stop fraudsters. Messages land straight in the target’s inbox all the same. Criminals can reach out to thousands of people at once and if you don’t understand about Sender ID spoofing you are an easy target.”

RSA Security’s district manager UK & Ireland, Ben Tuckwell, made a point that UK adults are “sitting ducks” for these scams that exploit a heightened concern over the virus.

“Consumers can protect themselves by acting smart and pausing to consider each communication they receive while remembering the three key smishing don’ts: don’t respond to texts from unknown or unusual numbers; don’t click on any links in text messages, and don’t share any banking information, usernames or passwords or other personal details after receiving a text message, unless you can verify who you are speaking with,” he added.