This latest scam involves a text message containing a link to a website mimicking the official NHS website, which asks users to input the exact name registered with their GP surgery, as well as their home address.
It then shows a screen asking for credit card details, falsely claiming a £4.99 payment is needed to “process your Covid Pass application”.
An NHS Covid Pass or vaccine certificate is used to show a person has had both doses of a coronavirus vaccination and are available to everyone in the UK through the official NHS app or website and does not require any payment.
They can be used to gain entry into domestic venues asking for proof of vaccination as well as for overseas travel.
“This attack is aimed at residents of the UK. It makes use of social engineering in a similar fashion to other pandemic-themed SMS texts, with a strong psychological aspect tied in for good measure,” Malwarebytes said in a blog post on the scam.
“It’s important to note that the UK does have an actual Covid Pass system in place. There’s a proper process in place, and it doesn’t involve handing money over to random websites. It’s also worth noting there’s been a number of other scams along these same lines.
“Should you receive one of these text messages, you can safely ignore it and report for spam while you’re at it.”
The pass is a digital QR code that you can download from the NHS app or NHS website. You’ll be asked to input your name, date of birth, postcode and NHS number.
The digital versions last for 28 days if you are fully vaccinated, then automatically renew, while if you have a negative Covid test result it is valid for 48 hours.
You will also be given an option to download it as a PDF or get it sent via email. People who are vaccinated can also have a paper copy sent to them which can be requested online on the NHS website. You do not need a GP referral.
