Something phishy: Tech recruiters jabbed by fake COVID-19 Passport scam

Tells clients it is tackling the issue


An IT recruitment agency says a "phishing scam" is behind a fake email sent to its customers with details on how to apply for a "Coronavirus Digital Passport."

The email – sent to applicants and clients of Concept Resourcing, based in Dudley, England, on 14 September and seen by The Reg – claimed users could "Get your Digital Coronavirus Passports (HPS) today" and showed recipients a big juicy link where they could do so.

The link was not a genuine NHS website and appears to have been deleted shortly after.

The scam was quickly spotted by the recruitment biz, which sent an email several hours later warning people not to "interact with the email" and to remain "vigilant."

A follow-up message sent early evening on 15 September confirmed that Concept Resourcing's "email software was compromised" and that the email had been sent to a number of undisclosed "candidates and clients."

"This email was NOT genuine and formed part of a phishing scam using our Concept Resourcing email address," it said.

The company said it believed a "number of candidate and client email addresses relating to historic interactions had been compromised to conduct this attack."

It told clients it is currently working with its email provider and security team to identify the cause of the breach.

Concept Resourcing told The Register: "From the moment we discovered this issue, we took steps to notify the affected parties about what had happened.

"We have engaged a well-respected cyber security consultancy to investigate the incident, how it happened and whether there are any steps that could be taken to mitigate the risk of this ever happening again.

"Our investigation is ongoing."

The issue of COVID-related scams is nothing new and it seems few people or organisations are immune.

In July, Action Fraud – the UK's fraud and cybercrime hotline – said it had received more than 700 reports of people being sent emails, supposedly from the NHS, offering them a vaccine passport.

These emails – which often link the vaccine passports with being able to travel or work safely without having to self-isolate – ask people to click on a link which takes them to an online form where they are prompted to input personal and financial details.

In some cases, the online form, along with the URL, are "NHS" branded. Again in July, the Chartered Trading Standards Institute (CTSI) shared concerns about "a phoney email clad in NHS branding" which told recipients they could "supposedly apply for a digital vaccine passport."

These scams are not the first COVID-related hustles designed to entrap people. Others include fake tests, homeworking scams, and test and trace frauds. ®

Similar topics

Broader topics


Other stories you might like

  • DigitalOcean sets sail for serverless seas with Functions feature
    Might be something for those who find AWS, Azure, GCP overly complex

    DigitalOcean dipped its toes in the serverless seas Tuesday with the launch of a Functions service it's positioning as a developer-friendly alternative to Amazon Web Services Lambda, Microsoft Azure Functions, and Google Cloud Functions.

    The platform enables developers to deploy blocks or snippets of code without concern for the underlying infrastructure, hence the name serverless. However, according to DigitalOcean Chief Product Officer Gabe Monroy, most serverless platforms are challenging to use and require developers to rewrite their apps for the new architecture. The ultimate goal being to structure, or restructure, an application into bits of code that only run when events occur, without having to provision servers and stand up and leave running a full stack.

    "Competing solutions are not doing a great job at meeting developers where they are with workloads that are already running today," Monroy told The Register.

    Continue reading
  • Patch now: Zoom chat messages can infect PCs, Macs, phones with malware
    Google Project Zero blows lid off bug involving that old chestnut: XML parsing

    Zoom has fixed a security flaw in its video-conferencing software that a miscreant could exploit with chat messages to potentially execute malicious code on a victim's device.

    The bug, tracked as CVE-2022-22787, received a CVSS severity score of 5.9 out of 10, making it a medium-severity vulnerability. It affects Zoom Client for Meetings running on Android, iOS, Linux, macOS and Windows systems before version 5.10.0, and users should download the latest version of the software to protect against this arbitrary remote-code-execution vulnerability.

    The upshot is that someone who can send you chat messages could cause your vulnerable Zoom client app to install malicious code, such as malware and spyware, from an arbitrary server. Exploiting this is a bit involved, so crooks may not jump on it, but you should still update your app.

    Continue reading
  • Google says it would release its photorealistic DALL-E 2 rival – but this AI is too prejudiced for you to use
    It has this weird habit of drawing stereotyped White people, team admit

    DALL·E 2 may have to cede its throne as the most impressive image-generating AI to Google, which has revealed its own text-to-image model called Imagen.

    Like OpenAI's DALL·E 2, Google's system outputs images of stuff based on written prompts from users. Ask it for a vulture flying off with a laptop in its claws and you'll perhaps get just that, all generated on the fly.

    A quick glance at Imagen's website shows off some of the pictures it's created (and Google has carefully curated), such as a blue jay perched on a pile of macarons, a robot couple enjoying wine in front of the Eiffel Tower, or Imagen's own name sprouting from a book. According to the team, "human raters exceedingly prefer Imagen over all other models in both image-text alignment and image fidelity," but they would say that, wouldn't they.

    Continue reading

Biting the hand that feeds IT © 1998–2022