Update on criminal scams exploiting COVID-19
Action Fraud says UK citizens had lost over £11 million to coronavirus-related scams by 8 July.
Criminals are experts at impersonating people, businesses and the police. The coronavirus outbreak means more people are online than ever before, and hackers are taking full advantage.
NHS Test and Trace
NHS contact tracers will ask for your name, date of birth and postcode, but
- They won’t ask for bank details or social media accounts
- They won’t ask you to set up a PIN or to pay anything
- They won’t ask you to download anything or to call any number starting 09 or 087
The only website the real NHS Test and Trace will ask you to go to is the government website contact-tracing.phe.gov.uk – you can find it by searching in the NHS.uk website.
Fake lockdown fines
Emails pretending to be from the government, saying they’ve monitored your movements through your phone, and you must pay a fine for breaking lockdown.
Fake payments or refunds
Messages from the government, HMRC or the council offer you free school meals, or council tax reductions, or other refunds or payments. There are also fake refunds on travel and holidays. They are all designed to steal your bank details.
Texts and emails pretending to be from TV Licensing offer you six months free – or say your recent direct debit has failed. If you click on the link, you go to a phishing website which tries to persuade you to give personal and banking details. TV Licensing says they will always include your name and part of your postcode in messages to you. Go separately to tvlicensing.co.uk if you want to contact them.
WhatsApp messages asking for your code.
Someone who has your phone number registers your WhatsApp on their phone. They ask you to forward the verification code to them. If you do, they can access all your WhatsApp messages and contacts.
Vouchers and free gifts
- A supermarket or big brand offers you a chance to win free vouchers, or free shopping.
- Your favourite celebrity or football club offers you a free gift as a thank you for your support.
The links they send go to a phishing website, designed to steal your personal and financial information.
Blackmail bitcoin scam
This blackmail scam has also been around for some time, but has recently seen a big surge.
You get an email with one of your passwords in the subject line, saying the hacker has recorded your computer visits to adult (pornography) websites. You must pay bitcoin or they’ll reveal the details to friends, family and co-workers.
All they actually have is your email and old password. (There have been some big leaks in the past few years.)
They don’t have access to your computer, or your webcam, and they haven’t infected your device with software. These are all part of the story, aimed at scaring you into paying them. Bitcoin can’t be traced, which is why they want payment that way.
- The password is probably an old one, but if you’re still using it anywhere, change it.
- You can check on HaveIBeenPwnd.com to see if your email address or password have been part of a leak in the past.
- Make sure you use different passwords for your different accounts so if one password is leaked, the other accounts are OK.
- Coronavirus emails have links that can infect your device with computer viruses, and steal your banking or other information. Emails may offer to help you to claim money, to give special information about benefits, vaccines or cures. One email offered to give a list of all the people infected in a particular area. Another example had a Word document attached with specific industry information. The Word document had malware embedded – the same malware that was used for ransom attacks last year.
- Be careful of messages asking you to ‘share this information urgently with all your friends’. If they don’t come from Public Health England, the World Health Organization or the NHS, there’s a good chance that they’re fake.
- There are plenty of criminals selling things which don’t exist, from holidays, cars and mobile phones to puppies and hot tubs. If you buy online, buy from websites you know and trust – or check them out (Trustpilot is a good place to start). Pay by credit card or PayPal: these give you extra protection. And don’t do anything in a rush.
- If you have vulnerable neighbours who may be targeted by doorstep criminals, please look out for them. Some fake NHS workers offer door-to-door coronavirus tests, and steal whatever they can. Others knock on doors and offer to do shopping – they take the money and never come back. There are also companies that charge huge sums to clean drives and doorways ‘to kill off the virus’.
Criminals create web sites that look real, so they can take your banking details.
Even if you think an email is genuine, don’t click on the link. Instead, search for the organisation in your browser, so you can make sure you get to the right website.
- Some websites sell face masks or hand sanitiser, which never arrive. If something is especially cheap, be suspicious. Most likely the site will take your money and the goods will never arrive. (You should also think whether they could make something super-cheap and still pay the legal minimum wage. If it could be made with slave labour, don’t buy it.)
- Some criminals send emails asking you for money for the NHS, or to fund a new vaccine, or for the World Health Organization.
- The little padlock symbol and ‘https’ in the url (top bar) confirms that your information is encrypted when you send it. However, they don’t guarantee that the website is genuine.
- Do you have to take action urgently? Criminals want you to act quickly, without giving you time to think.
- Does the message make you feel worried, hopeful, or curious? Threats or teases are designed to make you respond.
- Sometimes dodgy speelling, grammer and Punctuation are deliberate. They filter out people who read things carefully, so the people who do click are more likely to fall for the scams.
- Is the email addressed to you personally, or is it to ‘Dear friend’ or ‘Valued customer’?
- Have you ever heard from this organisation before? If you have, does the email look like other emails you’ve had from the same organisation?
- Does the email ask for personal information, bank account details, passwords, or your PIN number? Or does it ask you to click on a link or open an attachment?
Scam phone calls and texts
- If you get an automated call which asks you to press buttons on your phone, just hang up.
- Beware of anyone who asks you to pay by bank transfer.
- Neither your bank nor the police will ever ask you to give bank details over the phone. And they will never ask you to transfer money to another ‘safe’ account.
- If you are uncertain, offer to call the person back. Check them online, and talk to a friend or relative, before you do.
- Never install any software, or give anyone access to your computer, if they have called you. If you want help with your computer, check reviews online and talk to friends and colleagues before you contact someone.
To check if a link is fake
Scammers can make it look as if they’re calling from a different number, so don’t trust the number that appears to be calling.
- On a desktop computer or laptop, hover over the link with your mouse (but don’t click it) to see the real web address you’re being sent to.
- On a smartphone, press and hold on the link to see the name. Keep pressing and move away from the link before you let go.
- You can get link scanners – websites which let you enter the url of a suspicious link to check it eg Norton SafeWeb and ScanURL.
For more information
- Citizen’s Advice has an online checker which can give you specific advice for checking if something is a scam.
- Think Jessica has information about postal fraud.
- The National Crime Agency is supporting the national Take Five to Stop Fraud campaign, to prevent email, online and phone-based fraud.
- National Trading Standards lists some of the recent coronavirus scams.
- There are more tips, plus advice on what to do if you have clicked on something suspicious, on the National Cyber Security Centre website.
- See the Action Fraud website for up-to-date news about scams.
- The Bank of Scotland has a useful list of tips for safe online shopping.
- You can get the latest coronavirus updates on WhatsApp for free from the UK government or the World Health Organization.
If an email doesn’t address you by name, it’s probably fake.
Please note: VGC emails
- Any emails from VGC about the coronavirus job retention scheme will be addressed to you personally.
- From 16 April, we will include your name in all our staff update emails.
- Your payslip will always include your last name in the name of the pdf attachment.