Welcome to September’s Top Tips, NHS Test and Trace is in the spot light again this month with scams continuing to circulate and there is some useful information about the newly launched ‘NHS Test and Trace app’ in this month’s top tips.
NHS Test and Trace Scam
Current scam involves telephone calls claiming to be from NHS Track & Trace, callers will claim the recipient has been in contact with someone that has tested positive for Covid-19 so needs to selfisolate for seven days and take a test within 72 hours. Callers will then ask for the best address to send the testing kit out to, before saying that there is a one-off fee of £50, which includes results, and asking for bank details.
Advice:
Testing and results under the track and trace system are free. If you are contacted by the scheme you will never be asked for bank details or payments of any kind.
Never respond to any unsolicited phone calls or emails – Stop Challenge Protect
NHS Test and Trace App
Our West Midlands Regional Cyber Crime Unit have given this information following the launch of the new NHS Test and Trace app: ‘The NHS has launched the NHS COVID-19 app whereby venues are being instructed to download and display QR codes for visitors to scan when they arrive, using the new app. This is to help trace and stop the spread of coronavirus (COVID-19). It is important to note that users are advised to only scan venue QR codes through the NHS COVID-19 app to ensure that the user is accessing the correct website rather than a malicious one. Cyber criminals use a practice called QR Spoofing or “Attagging” which is where a real QR code is replaced by a cloned one, which then redirects the person scanning that code to a similar, potentially malicious, website where personal data can be intercepted and breached. Protecting yourself from QR Spoofing when `checking in’ to places, as is now required, is as simple as avoiding scanning QR codes with your camera and instead downloading the free NHS COVID-19 (Test and Trace) app from the Google Play Store or Apple App Store. When using the NHS COVID-19 app the QR code is scanned using an in-app camera and only official NHS QR codes are accepted. The app also does not require its users to open a separate webpage eliminating the risk of malicious links nor does it require the user to enter any personal information other than the first three letters of the users postcode as it relies mainly on venue check ins and Bluetooth location.
QR Spoofing or Attagging –
QR codes, particularly printed to signs or posters, are static and available to exploitation by cyber criminals by putting a fake QR code over a genuine QR code. For example, a QR code, on scanning, would link to the genuine website www.wmcyber.org but a fake QR code can be made up, printed off and placed over the genuine code to redirect to www.wm-cyber.org. At this point, the member of the public may be tricked into entering their personal and private data and financial information. Often, the spoofed website looks the exact same as the genuine one to make the users think they are legitimate and trustworthy. To protect yourself, we ask that members of the public always stay vigilant of spotting malicious URLS and, if possible, ensure that they preview the actual URL when scanning QR codes via phone QR readers. Also, take advantage of the free QR code readers available that function as a typical reader but also provides the added benefit of security to the scan’. WMRCCU
The launch of the new app will bring along new attempts from criminals to try to deceive people by way of email, phone call or text. Always seek information from a safe source and down load the NHS Test and Trace app from the trusted Google Play Store or Apple App Store and never from a link in an email or text message.
The official NHS Test and Trace website address is: https://contact–tracing.phe.gov.uk
Further information on NHS Test and Trace can be found by visiting the GOV.UK website here: https://www.gov.uk/guidance/nhs–test–and–trace–how–it–works
Courier Fraud Alert:
Courier fraud is when criminals call people impersonating banks or the police in order to convince them to hand over their cash, bank cards, or high value items, to a courier that’s been sent to their home. Recent reporting to Action Fraud has highlighted that an increasingly popular tactic is for criminals to instruct the unsuspecting victim to purchase high value items such as gold coins and gold bullion. In the last three months, Action Fraud has received 13 reports relating to this particular M.O, with losses totalling almost £419,000.
Please use this advice:
- Your bank or the police will never call you to ask you to verify your personal details or PIN by phone or offer to pick up your card by courier. Hang up, wait a few minutes and call your bank on a number you know to be genuine, such as the one on the back of your card
- Your bank or the police will not contact you out of the blue to participate in an investigation in which you need to withdraw money from your bank or to purchase high value goods, such as gold bullion.
- Your bank will never send a courier to your home to collect your card, PIN, or other valuables, therefore any requests to do so are a scam
West Midlands Regional Cyber Crime Unit Education Sector
Our West Midlands Regional Cyber Crime Unit are more than happy to chat to educational establishments about training opportunities for their staff and opportunities to provide positive cyber choices for their students. They have said ‘While we have over 5K schools across our region to try and support, we’d like to get an expression of interest from those schools or educational establishments that would like to receive free cyber awareness training’.
For more information about this opportunity, contact: wmcyber@west-midlands.pnn.police.uk
There is further information about ransomware attacks within the education sector here: https://www.ncsc.gov.uk/news/alert–targeted–ransomware–attacks–on–uk–education–sector
Stay Informed:
To help you keep informed, West Midland Regional Cyber Crime Unit are providing ‘Cyber Threat Weekly’ podcasts with weekly cyber updates and current information: https://cyberthreatweekly.buzzsprout.com/
The WMRCCU cyber website has a host of information to help boost your cyber awareness, you will find tips, information and advice and check out the ‘Cyber Crime Sentinel’ here: www.wmcyber.org/
NCSC Latest Threat Updates:
Take a look at August end and Septembers NCSC threat reports and news here:
28th August 2020:
https://www.ncsc.gov.uk/report/weekly–threat–report–28th–august–2020
- Dharma ransomware used in recent attacks
- Report explores coronavirus impact on breaches
4th September2020:
https://www.ncsc.gov.uk/report/weekly–threat–report–4th–september–2020
- New advisory offers support against malicious activity
- Business Email Scammers want more, more, more
11th September 2020:
https://www.ncsc.gov.uk/report/weekly–threat–report–11th–september2020
- Newcastle University suffers a serious cyber incident
- EPPlus generated macros provide novel way to help malware evade detection
18th September:
https://www.ncsc.gov.uk/report/weekly–threat–report–18th–september–2020
- NCSC warns UK academia of rise in number of cyber attacks
- Remote workers access company data on personal devices
- Vulnerabilities discovered across multiple travel company websites
- Microsoft aware of Netlogon vulnerability
25th September 2020:
https://www.ncsc.gov.uk/report/weekly–threat–report–25th–september2020
- Gamers urged to secure online accounts
- Firm caught offside in ransomware attack
Suspicious Email Reporting Service – Please forward suspicious emails to: report@phishing.gov.uk
Forward suspicious texts to: 7726
Report cybercrime and fraud to Action Fraud: 0300 123 2040
Further information and advice can be found by visiting:
cyberaware.gov.uk www.ncsc.gov.uk/ actionfraud.police.uk/ takefive–stopfraud.org.uk/