COVID-19 Contact Tracing Smishing

There is no doubt that it would have been naive, even foolish, to put any stock in the early suggestions from the cyber threat actor community that the COVID-19 pandemic was not going to be exploited. First of all, it’s not like cybercriminals all belong to a union that can enforce behavior, so the very idea is absurd. Also, exploiting people when they are the most vulnerable is what criminals do. The very idea that they would be well behaved during this crisis was, in fact, floated in an attempt to get inside the heads of their future victims to make them feel more at ease, and therefore easier to exploit.

Even the most casual observers of cybercrime will not be surprised, but still nonetheless outraged at the most recent events designed to gum up the works of contact tracing. Contact tracing will go a long way toward stemming the spread of the coronavirus. It will only work, however, if people trust the systems put in place to notify them of their recent proximity to someone that proved to be infected with the disease. 

The Guardian reported this week, “Members of the public have been alerted to a scam in which fraudsters use a bogus version of the UK contact-tracing app being trialed on the Isle of Wight.

The Chartered Trading Standards Institute (CTSI) said it had evidence of a phishing scam that uses a text message to try to fool people into believing they have been in contact with someone who has tested positive for coronavirus.”

When asked to comment on these developments, Chris Ross, SVP, Barracuda Networks said, “Cybercriminals do not miss a trick when it comes to preying on people’s fears, insecurities, or even their good-will. More recent efforts to trick people out of their money have seen scammers move away from the traditional email-based phishing attack to an SMS based phishing attack or ‘smishing.’

The most recent smishing attack, which uses an SMS alert to trick people into thinking they have come into contact with the deadly coronavirus, is one of the most immoral yet sophisticated smishing campaigns we’ve seen since the start of the outbreak. It is a reminder to the general public that cyber scams infect all messaging and communication platforms, and you should always verify the information you are sent before taking any action or complying with written instructions. If you are unsure of the legitimacy of some information you have been sent, seeking advice from a specialist or security expert is always advised, particularly in the current climate.”

Given the concerns about protecting individual privacy, contact tracing is, at best, a bit of a sticky wicket. A report from Naked Security by Sophos detailing how a woman in Auckland, New Zealand, whose trip to a Subway fast-food shop led to a restaurant worker reaching out to pester her on Facebook, Instagram, Messenger, and via text is unsettling. Giving personally identifiable information (PII) to a stranger for any purpose carries the potential for ending badly. 

As the public becomes aware of contact tracing smishing scams, they will likely be hesitant to respond to legitimate attempts to protect them from the coronavirus. The element of victimizing people as they attempt to protect themselves in a crisis makes these scams particularly heinous. Whatever method or technology each country settles on to provide contact tracing will need to have safeguards baked in to mitigate exploitation. 

Just like the cybersecurity community evangelizes the avoidance of clicking on links from unknown sources, healthcare providers will need to teach people to avoid responding to SMS messages about the virus and reach out directly if there are questions about their exposure. 

Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Instagram, and LinkedIn.