Something phishy: Tech recruiters jabbed by fake COVID-19 Passport scam
Tells clients it is tackling the issue
An IT recruitment agency says a "phishing scam" is behind a fake email sent to its customers with details on how to apply for a "Coronavirus Digital Passport."
The email – sent to applicants and clients of Concept Resourcing, based in Dudley, England, on 14 September and seen by The Reg – claimed users could "Get your Digital Coronavirus Passports (HPS) today" and showed recipients a big juicy link where they could do so.
The link was not a genuine NHS website and appears to have been deleted shortly after.
The scam was quickly spotted by the recruitment biz, which sent an email several hours later warning people not to "interact with the email" and to remain "vigilant."
A follow-up message sent early evening on 15 September confirmed that Concept Resourcing's "email software was compromised" and that the email had been sent to a number of undisclosed "candidates and clients."
"This email was NOT genuine and formed part of a phishing scam using our Concept Resourcing email address," it said.
The company said it believed a "number of candidate and client email addresses relating to historic interactions had been compromised to conduct this attack."
It told clients it is currently working with its email provider and security team to identify the cause of the breach.
Concept Resourcing told The Register: "From the moment we discovered this issue, we took steps to notify the affected parties about what had happened.
"We have engaged a well-respected cyber security consultancy to investigate the incident, how it happened and whether there are any steps that could be taken to mitigate the risk of this ever happening again.
"Our investigation is ongoing."
The issue of COVID-related scams is nothing new and it seems few people or organisations are immune.
- Open redirect on UK council website was being used for Royal Mail-themed parcel payments scam
- Crypto-coin startup said its bot could generate huge profits from your Bitcoin. It was a scam, says SEC
- Financial watchdog says Google's clampdown on scam ads might not be enough to prevent stricter laws in Britain
- Scam-baiting YouTube channel Tech Support Scams taken offline by tech support scam
- Aviation-themed phishing campaign pushed off-the-shelf RATs into inboxes for 5 years
- Microsoft warns of widespread open redirection phishing attack – which Defender can block, coincidentally
In July, Action Fraud – the UK's fraud and cybercrime hotline – said it had received more than 700 reports of people being sent emails, supposedly from the NHS, offering them a vaccine passport.
These emails – which often link the vaccine passports with being able to travel or work safely without having to self-isolate – ask people to click on a link which takes them to an online form where they are prompted to input personal and financial details.
In some cases, the online form, along with the URL, are "NHS" branded. Again in July, the Chartered Trading Standards Institute (CTSI) shared concerns about "a phoney email clad in NHS branding" which told recipients they could "supposedly apply for a digital vaccine passport."
These scams are not the first COVID-related hustles designed to entrap people. Others include fake tests, homeworking scams, and test and trace frauds. ®