Security experts are warning of a potential deluge of mobile SMS-based phishing (smishing) attacks as the UK’s Test and Trace service launches to mitigate a potential second wave of COVID-19 infections.
The government scheme will require contact tracers to proactively reach out via email, text or phone call to anyone they believe has been in contact with someone with the virus, to ask them to self-isolate.
The NHS has said that anyone contacted in this way “will not be asked to provide any passwords, bank account details or PIN numbers” or asked to download anything. However, they may require full name, date of birth, sex, NHS Number, home postcode and house number, telephone number and email address — more than enough to craft highly effective follow-on attacks and identity fraud.
There are therefore fears that especially older and more vulnerable members of society may still be tricked into handing over their details or unwittingly downloading malware.
In fact, experts are already warning of unsolicited text messages claiming the recipient may have been in contact with a COVID sufferer and urging them to click through on a malicious link to find out more.
Bogus text messages were also sent out during the trial of the UK's contact tracing app on the Isle of Wight.
One UK-based social engineering company, The AntiSocial Engineer, explained in a blog post over the weekend how easy it is to register legitimate-looking but fake domains and spoof Sender IDs to launch a smishing campaign.
“We have closely followed SMS-based scams since our company was founded and sadly many contributing factors seem to be exacerbating text message fraud. One key trend is that email security is getting better and it’s harder for criminals to reach the inboxes and conduct phishing scams,” he explained.
“SMS is the perfect solution to this problem as only the bare minimum is being done in this sector to stop fraudsters. Messages land straight in the target’s inbox all the same. Criminals can reach out to thousands of people at once and if you don’t understand about Sender ID spoofing you are an easy target.”
RSA Security’s district manager UK & Ireland, Ben Tuckwell, argued that UK adults are “sitting ducks” for such scams, that exploit a heightened sense of concern over the virus.
“Consumers can protect themselves by acting smart and pausing to consider each communication they receive, while remembering the three key smishing don’ts: don’t respond to texts from unknown or unusual numbers; don’t click on any links in text messages; and don’t share any banking information, usernames or passwords or other personal details after receiving a text message, unless you can verify who you are speaking with,” he added.
A new survey from iProov out today reveals that a quarter (26%) of Brits feel more vulnerable to hackers as a result of COVID-19.