Alert: Scammers exploit Omicron fears in new COVID‑19 phishing campaign

Sensing another opportunity to take advantage of fears surrounding the COVID-19 pandemic, scammers are deploying a phishing campaign where they attempt to exploit the emergence of the Omicron coronavirus variant in order to line their pockets.

In an email obtained by Which?, the fraudsters pose as the National Health Service (NHS) and offer potential victims a chance to get a “Free Omicron PCR test” that will help them avoid pandemic-related restrictions introduced recently by the government. The email also deceptively claims that the new variant isn’t detectable by test kits used for previous COVID-19 variants and a new test kit has been developed for that purpose.

In fact, multiple versions of the email are doing the rounds, with one containing a link, while in another the link is accessed by a button. In either scenario, you would be redirected to a faux copycat NHS website that requires you to fill out a form requesting your full name, date of birth, address, mobile, and email address – basically all the information a scammer would need to pull off a pretty convincing case of identity theft and fraud, leaving the victim’s finances in shambles.

Oddly enough, while it does advertise the test as free, the website requests a delivery fee of £1.24 and, for good measure, it gives you the option to provide your mother’s maiden name as a security question – an approach that is actually still used to help users secure their online accounts. In case a victim does get duped and fills out the form, they have effectively provided the scammers with a blueprint to committing identity theft and fraud. Which? has reported the website to the UK’s National Cyber Security Centre.

Scammers eagerly switch to the topic du jour in a quest for people’s sensitive data and hard-earned money, so the fact that they’re taking advantage of the latest developments in the COVID-19 crisis is no surprise.

To avoid falling victim to similar scams, consider following these steps:

• If you received an email that claims to be from an official organisation, check the organisation’s website and contact them using their official contact information to confirm whether they really sent that message.
• Don’t click on links or download files that you received in an unsolicited email from a source you don’t know and cannot independently verify.
• Use two-factor authentication (2FA) at least on your most important online accounts, as well as reputable multi-layered security software with anti-phishing protection.