NHS / WIRED
The UK’s successful coronavirus vaccine rollout is about to pick up even more speed. From today, 440,000 people over the age of 55 and unpaid carers will start to receive text messages inviting them to book an appointment to be vaccinated against Covid-19 at one of more than 300 large-scale vaccination centres across England. They’re likely to be the first of millions to receive the messages.
The text messages, which are part of a trial to speed up the rollout of invitations, will sit alongside the letters people have received so far, inviting them to book their appointments for vaccinations. Stephen Powis, the NHS’s national medical director, says it will be “a quick and easy service” that he hopes will make it “more convenient” for people to get their vaccines. If successful, NHS England hopes to continue the trial as it offers more flexibility to provide demand to meet variable vaccine supply.
Yet it’s also a potential boon for cybercriminals already capitalising on people’s fear of the coronavirus, and their desperation to return to some semblance of normality. “It’s a good idea, but it’s also mixed,” says Abigail McAlpine, associate lecturer in cybersecurity at Sheffield Hallam University. “There isn’t as much education around scams as there needs to be. Many people don’t know how to check texts or emails you may think could be suspicious.”
The NHS is aware of potential scams. It has stressed that all legitimate messages will come from ‘NHSvaccine’ and link to the NHS.uk website. NHS England also said that recipients could be assured of the safety of the text messages because they would be sent using the government’s Notify service – a messaging platform that’s used by 4,182 services and 986 organisations.
Nikki Kanani, a GP and NHS medical director for primary care, says that legitimate texts inviting people to book a vaccine appointment will never ask for bank account details, such as credit card numbers or PINs. However, social engineering experts worry the new method of contacting patients inviting them to come forward will open up new avenues for those seeking to take advantage of people’s desperation to be protected from Covid-19.
“I can’t think of a stronger example everyone is invested in than this vaccination,” says McAlpine “Most people want to get the vaccination, get out of the way and move on from this pandemic. People are rightly excited about this vaccine, and that unfortunately leaves them in a position where they can fall victim.”
Since the pandemic started scammers and criminals have pivoted their work to take advantage of the health emergency – both through phishing email scams and also SMS scams. Data compiled by cybersecurity analysts Webroot shows a 336 per cent increase in the use of the word “vaccine” in suspicious domain names, which were used to launch phishing attacks, between March and December 2020. Of the 4,500 suspicious domains Webroot tracked in the first month since Margaret Keenan became the first person in the world to receive a Covid-19 jab outside of a trial, around one-fifth included the word “vaccine”. Other high-growth areas for scammers included domains with “covid” or “test” in the URL.
“The go-to scam is: ‘You’ve been invited for a vaccine, please register’,” says Richard De Vere of The Antisocial Engineer, a Barnsley-based social engineering consultancy. “It asks for your first name, your date of birth, your credit card number, and the last three digits on the back of the card – which of course they’re only using for information, never to take money,” he sarcastically adds.
De Vere can see why the NHS is adopting the use of text messages. “In this market, text messages are king,” he says. “The NHS have all the data and the numbers. They can send out thousands of messages an hour.” It’s undoubtedly the quickest and most efficient way to contact a vast number of people, but it does help blur the line between legitimate messages and scam ones.
Until now, the government and the NHS have been able to say to people that any texts purporting to be from the NHS inviting them to book a vaccine are not from them – unless they’re from local GP surgeries, which have been inviting people to book vaccines at smaller centres through text messages, if they have phone numbers for patients. Now people will have to rely more on their intuition when receiving messages purporting to be from the NHS.
“With the government supporting that plan, [the number of scams is] only going to grow,” says De Vere. “We’ve already seen growth without the government meeting them halfway.” Action Fraud, the UK’s national fraud reporting centre, tweeted a warningt for people to be vigilant against email- and text-based scams around coronavirus vaccines just yesterday.
Tricking people can be incredibly simple. De Vere told me he was going to take the information the NHS provided in a press release about the text message rollout and see if he could replicate the message when we spoke. Twenty minutes later, I received a message from “NHSvaccine”. “Hello Mr Stokel-Walker,” it said. “You may now book your COVID-19 vaccination. Please see http://contact-tracing.phe-gov.uk. NHS Vaccine Service.”
At a glance, it is convincing. I believed the message for a second, thinking it might just be a coincidence that it arrived shortly after De Vere said he was going to try to spoof it. I sent him a screenshot and asked whether it was his doing. “Click it, it’s harmless,” he replied. I did; the link took me to his website. “And we just had that conversation,” De Vere added. “Imagine Roger, aged 48, who hasn’t got a clue.”
The sender’s name of the message De Vere sent was “NHSvaccine”, as NHS England’s legitimate one would be. There were two unusual things about it though. The first: the URL included the domain name “phe-gov.uk”, which isn’t legitimate. Second: in his haste De Vere had misspelt my surname accidentally.
Carefully checking URLs for misspellings, additional stray hyphens or punctuation, or any sort of typos in the messages themselves is an important sense check. If you have any doubts about a link that’s been sent to you, it’s best not to click it. Fake NHS vaccine text messages, such as this one identified by Which?, included web domains such as uk-application-form.com. Another spotted by health officials in Sussex asked people to reply to the text and if they did they would be charged.
“As we have seen repeatedly by scammers plaguing victims over the pandemic, it is still very possible to spoof the sender of a text message,” says De Vere. “It’s just rather irksome to yet again depend on the people, the potential victims, rather than prior considerations that could have helped prevent this kind of social engineering attack.”
So if it’s dependent on people to spot spoofs, then what should you look for in genuine messages? The text message will come from a sender called NHSvaccine – but as De Vere has managed to show, that isn’t foolproof. The URL you’ll be directed to will start with nhs.uk – which is the host of the vaccine booking service.
There, you’ll be asked to input your NHS number, which is ten digits long, and is on any official documentation you’ve received from the health service before. McAlpine would rather the vaccine booking system was different, with the NHS providing a unique code that you would input onto the booking website, rather than having to surrender personally identifying information, but understands the system has been set up quickly.
What you won’t be asked for is any details associated with your bank account or credit or debit card, nor will you be asked for copies of any personal documents such as a passport, pay slip or driving licence. And you certainly won’t be asked to pay anything. “The NHS have said all these vaccines will be free and remain free,” says McAlpine. “If you do get a text message not from a legitimate place, look up their number on their website, not through their link and call them up directly,” which in this case would be 119 to book a vaccine slot.
You can also Google any phone numbers associated with the texts – it’ll never come from a mobile number starting with 07 – or can forward suspicious text messages to the National Cyber Security Centre’s text messaging service free of charge at 7726. And even if you don’t want to click the link in the official NHS text message, it’s vaccine booking website can be found with a quick search.
More great stories from WIRED
💸 The bitcoin elite are spending millions on collectable memes
🍇 Scientists are growing grapes in space to save Earth’s wine supply
🔑 Reduce your chances of being hacked – use one of the best password managers
🔊 Listen to The WIRED Podcast, the week in science, technology and culture, delivered every Friday
👉 Follow WIRED on Twitter, Instagram, Facebook and LinkedIn
Get WIRED Daily, your no-nonsense briefing on all the biggest stories in technology, business and science. In your inbox every weekday at 12pm UK time.
Thank You. You have successfully subscribed to our newsletter. You will hear from us shortly.
Sorry, you have entered an invalid email. Please refresh and try again.