The Chartered Trading Standards Institute (CTSI) reports a phoney email in NHS branding, informing the recipient that they can supposedly apply for a digital vaccine passport. The message claims that the so-called “Coronavirus Digital Passport” proves that you have been vaccinated against COVID-19 and “allow(s) you to travel safely and freely around the world without having to self-isolate.”
The email message links to a website built to look like an official NHS platform that asks the recipient to provide personal details, which could be used to commit identity fraud. This scam is not the first of its kind to use the theme of the pandemic as a vehicle with fake tests, bogus business grants, homew orking scams, a Test and Trace scam, and others witnessed since the first lockdown in March 2020, says CTSI.
The vaccine passport scam arrives when the UK’s health services have launched legitimate vaccine passports, and while many are looking to travel for summer holidays.
Katherine Hart, a Lead Officer at CTSI, said: “This is yet another example of unscrupulous fraudsters taking advantage of the pandemic to line their pockets. We all hope that the summer brings some enjoyment after what has been a period of unprecedented challenges for everyone, but scammers want to ruin that. It is vital that we not only avoid these scams, but also report them to Action Fraud, or if in Scotland, contact Police Scotland. More data received means that the authorities can build a richer picture and identify the full scale of this serious issue.
And Bruce Treloar, CTSI Lead Officer for Holiday and Travel Law, added: “Holidaymakers should keep up to date with the UK Government’s traffic light system for existing travel recommendations, and apply for an NHS COVID Pass if a resident make a fake passport online of England or the respective systems for Scotland and Wales if resident in those nations. Digital health passports will go live in Northern Ireland this month.
“Holidaymakers should also search for providers that offer flexible booking policies in the event of traffic light changes. Doing this could potentially save holidaymakers money in the event of a colour change.”
Meanwhile Toby Carlin, Senior Director of Fraud Consulting at the analytics firm FICO says that more reporting and better collaboration is needed in the fight against delivery scams. He writes:
The ‘courier scam’ is a global issue that intensified late last year and presented another worrying trend in the new world of digital payments and card scams. Courier scams have long been a problem, but the threat has gathered momentum in recent months as fraudsters have found a lot of success and they will continue the ‘winning’ formula while they still can find a victim that will fall to their schemes. But why is this same attack repeated with such frequency and what can we do to be more resilient to the threat?
The attack is simple – an SMS or email comes out of the blue from an unknown number or address, notifying the target that they have missed a delivery and that it will need to be re-arranged. These typically reference the largest of the local delivery companies or even the central mailing services within the attack region. When the victim follows the passport generator link to re-arrange their fake delivery, they are asked for a host of information along with a fee for redelivery. These scams are very successful — here’s how they work:
1) A fraudster will always imitate a company to generate maximum potential to find a victim. This is why tax entities and home utilities are always a popular target for fraudsters, but during COVID-19 lockdowns, our lives were forced to be remote – which brought with it an increase in the use of courier services to meet the exploding demand of customers purchasing from e-commerce channels. Mix this increase in consumer demand with the fact that most customers purchase from a vendor they know, but they do not know who will be delivering the item, and you have a rich and varied target set for the fraudster.
2) Like many modern card and e-commerce frauds, the scam itself contains a range of attack vectors in a single place. This includes phishing of personal and account-level information as well as compromising the PAN / CVV for use in a fast-following fraud attack. It is also becoming more common that these attacks are part of a unified scam whereby high-value fraudulent goods are being ordered in the background, with the customer then tricked into completing the authentication steps prompted by their ‘redelivery’.
3) Creating a multi-layered and extremely convincing web page to mimic genuine services is easier than ever before. Mass communication methods by SMS or email are commonplace and often incredibly low cost – a service that is enjoyed by fraudsters and genuine companies alike. It is also quicker and easier than ever to purchase and design a high-quality web domain and even more troublesome is that in many instances, the design includes an offering for fraudulent mobile applications. All these schemes are low-cost, but highly effective.
The final point is the financial success to the fraudster. They can build and publish these scam web pages and send mass communications incredibly quickly with little to no checks completed prior to their on-boarding. These fraudulent services run as legitimate businesses until the point a customer reports the illegitimate service to law enforcement and industry groups in attempt to stop the unlawful service. The enforcement activity is then to block access to those web domains, which requires a collaboration between ISPs to prevent more victims falling for the scam. All of this takes time, often several weeks, all the while the fraudsters continue to defraud more and more victims. Once they’re stopped, they can create a new attack.