Don’t be fooled BY THE COVID CONS
There couldn’t be a more callous abuse of our anxiety over the virus than the host of new scams preying on our fears. And as this investigation reveals, a glaring security flaw in the new Test and Trace system has given crooks a golden opportunity
Scammers began capitalising on coronavirus to con victims out of cash almost as soon as the disease started spreading worldwide.
Fraudsters have been knocking on our doors, infiltrating our email inboxes and telephoning us in our homes — using the fear and confusion to steal from us.
But today money mail can expose how a shocking security flaw at the heart of the Government’s flagship test and trace programme puts us at even greater risk of fraud. Our investigation shows how it is possible to replicate the ‘secure’ NHs phone number used in every call within just 30 seconds using a website found through a simple Google search.
The deception, known as spoofing, allows callers to choose what number is displayed on the recipient’s phone.
It means fraudsters can make it appear as if they are from the NHs — when actually they are calling from an entirely different number.
and those contacted genuinely from the official 0300 number cannot phone back to check it — because the line does not accept incoming calls. Using this veneer of legitimacy, criminals can target vulnerable and elderly victims, trick them into divulging personal information and then plunder their bank accounts.
Hundreds of thousands of people are expected to be contacted under the Test and Trace programme, which aims to limit the spread of coronavirus by finding those who have come into contact with someone who has become infected and telling them to isolate.
But last night, police chiefs and mPs warned that it is ‘ hopelessly open to fraudsters’. On Facebook, there have already been warnings about calls being made by scammers purporting to be from NHs Test and Trace. Fraudsters tell victims they have been exposed to an infected person and have to pay £50 for a covid-19 test kit.
The swindlers claim that failure to provide debit card details to pay for the test is a criminal offence. But the claims are a complete scam — all tests are free in Test and Trace. MONey
mail has previously revealed how call spoofing is an easy but devastating ploy used by scammers to pose as banks, tax officials and other government bodies to steal hundreds of millions a year from victims.
In 2018 we reported how an elderly woman lost £20,000 after taking a call from a man purporting to be from Barclays. He told the 88year- old that fraudsters were attempting to raid her account.
When she asked him to prove it was a genuine call, he said he would ring back using the number on the back of her card.
When he did, the real Barclays customer services number flashed up on the victim’s phone so she believed he was who he said he was and transferred the money as instructed.
Despite the easy abuse of the system, the NHs lists the 0300 number on its site and stresses that only Test and Trace staff will call from it.
It says information patients provide during the subsequent conversation will be held in ‘strict confidence’. However, West midlands
Police and crime commissioner, David Jamieson, says it is ‘staggering’ that the Government had made the number public so that criminals could clone it and use it.
He says: ‘It presents a serious danger to ordinary people, particularly to those who are just that little bit more vulnerable.
‘at the lowest level it’s open to pranksters and people playing tricks, and, at a more serious level, to those perpetuating hate crime or harassing people. at a very serious level, it opens the door for criminals to contact people and attempt to get very sensitive information from them.
‘It’s absolutely fraught with risk. They haven’t thought it through.’
soon after Test and Trace’s launch late last month, warnings appeared on social media that scammers appeared to be exploiting it.
The mail tested these concerns with a spoofing service which allows people to change their caller
ID. The site, which we are not naming, describes itself as a tool for making prank calls, explaining: ‘you can change your caller ID, so when you call someone he sees on his caller ID display the number you selected.’
It sounds like harmless fun, but for just 75p per minute, plus an access charge, reporters were successfully able to use the site to call a mobile phone and make it look as if the call was coming from the NHs Test and Trace number.
Jenny Harries, the deputy chief medical officer, has previously insisted that people would be able to know if they were being called by Test and Trace as ‘it will be very obvious in the conversation that you have with them that they are genuine’.
But rosie cooper, a Labour mP and member of the social care select committee, says: ‘ you wouldn’t know by just talking to someone, so you would need a number to go back to. I’m
absolutely shocked by how easy it is to pretend to be from Test and Trace.
‘The whole system seems to be undermined by the fact that there’s no way of verifying callers. How do you know it’s genuine?’
On its website, the NHS makes clear that the Test and Trace service will not ask for bank details or payments, details of any other accounts, such as social media, or to set up a password or a PIN number over the phone — or to call a premium rate number, such as those starting 09 or 087.
But Mr Jamieson says, while correct, this advice was about 20 years out of date.
‘The fraudsters are well beyond that stage,’ he says. ‘Where they are now is offering people to click onto a website and that’s when they’ll probably invade your computer and steal your identity and possibly be able to drain your bank account within half an hour.
‘The fraudsters are far more sophisticated than the advice that is being given out by the Home Office.’ Action Fraud says that scams involving the virus have already claimed more than £5 million from victims.
In Scotland, the phone number used to call people on in its equivalent ‘ Test and Protect’ strategy has not been announced publicly.
However, concerns have still been raised by consumer campaigners and Age Scotland that it could be hijacked by fraudsters who call claiming to be from the service — to obtain private information.
First Minister Nicola Sturgeon promised that the Scottish Government would take steps to ensure security.
Last year a Daily Mail investigation revealed how a gang of fake taxmen operating from India were spoofing genuine HMRC numbers to target 10,000 UK victims a day.
A Department of Health and
Social Care spokesman says: ‘NHS Test and Trace is vitally important to prevent the further spread of Covid-19. We have been working with the police and the National Cyber Security Centre, who have advised on measures to keep the public safe.
‘Official NHS Test and Trace contact tracers will never ask you for financial details, PINs or passwords. They will also never visit your home.’