UKC

Please make others aware (particularly those more vulnerable who might fall for this), that this is a scam! It showed up on my texts in the same "conversation" as my other NHS texts (PCR test results etc). It is not from NHS and people should not click on the link 

"You're now eIigibIe to get your NHS COVlD pass. You couId be fined if you don't appIy. PIease visit nhs.digital-get-pass.com to appIy for your pass."

This is the correct way to get a pass or letter:

https://www.nhs.uk/conditions/coronavirus-covid-19/covid-pass/

https://covid-status.service.nhsx.nhs.uk/

Or here in Scotland:

https://www.nhsinform.scot/nhs-scotland-covid-status

I've not seen or heard of this one.

The giveaway is  - "You could be fined if you don't apply"

No one is going to be fined for not applying for a pass, but any suggestion of penalties could be enough to worry some and cause them to fall for whatever the scam is going to do.

Dave

The worrying part is it’s inserted into the same message conversation. How do they do this? 

I received this scam as a text message a couple of hours after my booster a few weeks ago. It's the only time I've received an NHS targeted scam text.

Was it just a coincidence or have the scammers got hold of patient appointment data somehow?

Coincidence I should think.  They'll just be sending the texts to random numbers and spoofing the sender as "NHSresult" (or whatever), and then your phone will group that text in with the others from the same 'sender'.

My initial reaction was scam, then I got a bit confused because on my texts it is in the same conversation thread as my PCR results (I do 1 per week), which made me second guess myself. Some would certainly fall for it! I had to Google to check due to this. I could see others falling for it

I actually goy that one about 6 weeks ago so it's been around a while.

Yes, it is worrying. I don't know how they do it. I feel I should be able to report it to someone but I don't know who

Presumably if they spoofed the number that the genuine texts come from messages will appear in the thread.

Similarly you can get a phone call from a number that appears to be form your bank (ie it shows a number that your bank uses).

This flaw in telephone security is going to be fixed in the next few years...

Coincidentally (or otherwise...), a post appeared on my FB feed, from Ofcom, advising scam texts should be forwarded to 7726.

I'm assuming that's not a premium rate scam line...

https://www.ofcom.org.uk/phones-telecoms-and-internet/advice-for-consumers/...

SMS sender authentication is a bit non existent.

Apparently the designers of the SMS didn’t consider than some people are scum.

*Never* trust the identity of the “sender” of an SMS.  Can be used to con you in to believing something, or to replying to a number known to you in response to a message they didn’t send.

https://en.m.wikipedia.org/wiki/SMS_spoofing

Trivially, see my wiki link.

Ofcom and your MP, because your mobile provider is all to willing to profit from crime by taking their cut when sending unauthenticated, fraudulent messages to you, their customer.

Yeah. I had this argument many years ago when I was charged for a premium rate text I hadn't requested. There seemed to be little or no means or will to do anything about it from either service provider or ofcom; their stance was that it was impossible, and I must have made the request myself. It wasn't impossible, and it was a prolific problem; the company responsible for the call was one of a series of pop-ups, all 'fined' for these scams, but disappearing with their cash before the fine could be enforced.

The website address "nhs.digital-get-pass.com" is a dead give-away. Anyone can register an address (technically, a domain name) such as "digital-get-pass.com".  The "nhs" bit on the front is not to be trusted. Whoever registered "digital-get-pass.com" can put whatever they like there.

You can trust "*.nhs.uk" and "*.gov.uk", where "*" means "anything". 

HTH

Al