/ Scams

Warning: new fake NHS COVID Pass emails and texts

Scammers are hoping to cash in on any confusion around the end of pandemic restrictions – watch out for these fake emails and texts.

The NHS COVID Pass was recently launched so people can show their COVID vaccine or test status, which might be needed to travel and gain entry to some events.

Vaccine passes are completely free. You can download a digital version using the NHS app, or ask for a physical copy to be posted to you.

But fraudsters have been sending out fake NHS branded emails, falsely inviting people to apply – and pay – for a pass. We’ve also seen fake text messages along the same lines. These texts can be especially convincing as the NHS does contact patients using text messages.

Examples of fake NHS COVID Pass messages

Here’s one of the phishing emails we’ve seen:

And here’s a text message that links to a copycat NHS site that aims to steal victims’ personal and banking details:

We know that scammers used similar tactics when the vaccine became available. The NHS Counter Fraud Authority (NHSCFA), which works to fight and prevent fraud affecting the NHS, told us:

Criminals are using the COVID-19 vaccines as a way to target the public by tricking them to hand
over cash or financial details. They are sending convincing-looking text messages letting people
know they are eligible for the vaccine or phoning people directly pretending to be from the NHS, or
local pharmacy.

The NHSCFA have put together guidance and advice to help anyone who may be a
target of these kinds of scams – COVID-19 vaccine fraud (cfa.nhs.uk)

NHS COVID passes are free of charge and can be obtained through the NHS website and app.
Instructions on how to get one are detailed here.

If you believe you are the victim of a fraud relating to the COVID-19 vaccine, please do not report
this to the NHSCFA. Please report it to Action Fraud, forward any suspicious emails to
report@phishing.gov.uk, and forward suspicious texts to 7726.

How to deal with NHS-related phishing

The best way to avoid text message scams is to never follow the links in texts that claim to be from organisations or companies.

Experience: “How I almost fell for the fake vaccine text”

If you get a text purporting to be from the NHS that you’re not sure about, check the details with your GP surgery or NHS service.

Guide: how to spot a text message scam

Guide: how to get your money back after a scam

Phishing emails should be reported to the National Cyber Security Centre on report@phishing.gov.uk

Fake texts (smishing) can be forwarded to 7726 (spells SPAM on the keyboard).

Have you been targeted by these fake NHS messages or similar? Let us know what happened in the comments, and help us spread the word by sharing these warnings with your friends and family.

Comments
AnnaT says:
15 July 2021

When you get a suspicious email you should always click the sender as this should bring up the email of the sender. If this is obviously different to the purported sender, then beware as its likely a scam. Be careful though as some unscrupoulos person may have come up with an email that is so close to the original as to be very difficult to detect.

Veneda Budd says:
15 July 2021

I’ve had one of these, reported, blocked and deleted!

I clicked on the link in the phishing mail out of curiosity to see what they hoped to achieve but it seems it has been deleted.

Hi Mar M,

That often happens within 24 hours of those messages going out. Either the sites are taken down or built-in browser security software blocks the sites.

I know this because I also also click on some of these links.

But, because clicking on a link risks bad things happening, I’ll only click on these links from spare devices and never from any of my main devices. Ten years ago, my Windows 7 PC caught a nasty virus after I clicked on an apparently benign link in a motorcycling forum.

Mar M: you should NEVER click on links especially if you suspect or are certain that it is a phishing email. Some will take you to a blank page or some other innocuous result, meanwhile your device is receiving malware/spyware.
Not all phishing messages want you to do something next, clicking on the link is enough.

Peacheater, as my Windows 7 experience showed, clicking on all kinds of apparently innocent looking links can also trigger “drive by” downloads.

Hence it makes good sense to be very careful whenever you are surfing the net and to make sure that you have good security software to prevent such incidents.

This is particularly true when using Windows, and especially so when using a Windows account with administrator rights. Other OSes are not invulnerable either…

Teddy says:
15 July 2021

I had one from DVLA saying my direct debit for car tax had been cancelled by bank and now car wasn’t taxed! I beieved part of ir in that I had just recently taxed my car but not using DD. I thought they had just made a mistake…thankfully II didn’t click on link taking me to “how topay by DD but replied to sender. It came back as unknown….I checked on DVLA website and saw my car was taxed….that was a close call and its easy to be caught off-guard. Thanks for info as didn’t know just clicking a link could cause problems without taking any further action.

NHS: You are eligible to apply for a Covid Pass proving you have been vaccinated against COVID-19. You can apply for this here: https://nhs-uk.application-onlineform.com
+447951782543
I recognised it as a scam and forwarded to 7726

[Moderator: this website appears to be a scam website. We’ve retained the URL to help you identify it, but we’ve redirected the link to our guidance on how to spot fraudulent website. ]

Information about the Covid Pass can be found on the NHS website: https://www.nhs.uk/conditions/coronavirus-covid-19/covid-pass/

Michael Caudwell says:
15 July 2021

I thought I probably do not need one, but why not. Information provided is confusing re “passports”.
Reached enter a card details and this was a lightening strike. Ceased and deleted.

Yes, I got one but knew it was fake because I knew we weren’t being charged. I also checked with my sone who is a consultant in the NHS just to be sure. Then I forwarded it to Cyber fraud website and binned it.

Steve k
I clicked on the link on 12/7 and supposedly paid £1.99 on my credit card .but then I think it was blocked as no money was taken. However I did receive a QR CODE (which is supposedly bogus) .I did a screenshot and saved it in photos. Do I need to do anything else?

Hi Steve,

Good to hear that it may have been blocked, though best to still report this to your credit card provider, confirm no money was taken, and aim to keep an eye on your account for suspicious activity going forward.

You’ll also want to keep an eye on any accounts linked to any personal information you may have given as part of the transaction – for example, if you provided an email address, it would be a good time to change your password, implement two-factor authentication if available and not already done. There’s more advice on our Scams Protection checklist: https://www.which.co.uk/consumer-rights/advice/how-to-spot-a-scam-alFiz5h8mnJ9

Mrs Christine Russell says:
16 July 2021

I had one of these emails, I noticed the email address looked a little odd. Although it said it was from NHS the address was NH…… I passed it on to “report@phishing.gov.uk, it did look authentic though. I am suspicious of everything though after all the scams that have happened.

I had the text offering the NHS Covid Pass and a website link to click on. In stead I phoned the mobile number from which the text had been sent and was (happily) greeted with “the number you have dialled has not been recognised”. I thought it was a scam to start with and now I know it is.

Lee F says:
16 July 2021

I had one of these emails and it does look convincing, but I am very wary of any emails especially generic ones not titled to me. I always look at the email sender in the first instance and often that is a red flag. I did report this to the counter fraud unit and feel satisfied I was right.

Mark Gourley says:
16 July 2021

Exactly. Always beware of any communication addressed to “Dear Sir/Madam” rather than to you personally by name!

It amazes me that despite ALL the publicity and repeated advice “do not click on links” in the media and on TV consumer programmes, people STILL do it.
Similarly (but unrelated to this thread) despite the repeat advice not to, people STILL pay for things solicited online or in email by direct bank transfer (and now expect the banks to refund them every time).

I clicked on the link and it took me to a blank page, what should I do

G Powell says:
2 September 2021

I received a text, supposedly from the NHS a couple of days ago. I thought it was ok as the address started https: … or so I thought. On looking again, I saw the address was actually http://nhspass-apply.com. When I tried to look up the website, a red screen & warning message came up. Can’t believe I almost fell for this! But I am unable to forward this to report it, as there is no option on the text to forward, only a delete button. Suppose I should have noticed it came from NHSNoREPLY.

Kevin Adams says:
18 September 2021

Just received a new (to me) NHS Coronavirus passport scam as copied and pasted below. I thought it looked a little odd as the blue of the NHS logo didn’t look quite what I normally see on legitimate emails. Looking at it closely the words “We will ask you a few personal information….” suggests it’s also a scam to me as well as the time limited link!

Beware

We are happy to introduce Digital Coronavirus Passports(HSPS)

Dear NHS member,

Starting today you can apply for a Digital Passport.

Your account ID is z48c06e. Please make a note of this ID. You need it to sign in to NHS Digital Passport

The Coronavirus Digital Passport is documentation proving that you have been vaccinated against COVID-19 or you recently recovered from COVID-19

Please click on the link below to apply for your Digital Passport now

LINK NOT COPIED

After 72 hours the link will not work.

We will ask you a few personal information about yourself and show you how to get your copy .

The passport will allow you to travel safetly and freely around the world without having to self-isolate.

The evil exploitation of some scammers is unbelievable. The “personal information about yourself” is what they want and they are just taking advantage of people’s anxieties during the pandemic. The promise that the “passport will allow you to travel safetly [sic] and freely around the world without having to self-isolate is pure fantasy.

D Moore says:
6 October 2021

I received two text messages yesterday, supposedly from NHS , saying I was now eligible for my Covid Pass. They provided a link to apply for it and said by not replying I could be fined. That set alarm bells ringing so I ignored them. Both came from mobile numbers which started with the same numbers but finished slightly differently.

Clive James says:
6 October 2021

We have just had a similar text, the thing that made it look like it was from a genuine source was it appeared below/on the text message string as the results of an antibody test form last month, which was genuine. The fact it said ‘you could be fined’ rang the alarm bells. The webpage looked genuine though the three links at the bottom for terms, Cookies, accessibility and help centre didn’t work. It led through to wanting all the stuff the NHS app/web page asks for (I filled in made up stuff) and then it went to the request for £1.99 admin fee.
What I’d like to know is how they can get the text appear to come from the same place as a genuine NHS text…….

Philip Heady says:
18 October 2021

I received the email below and was momentarily taken aback. I put it in Spam and will now delete.

N H S COVID-19 Vaccine Passport
To: My email address
13/10/2021 14:13
1
Coronavirus (COVID-19) vaccination – NHS

Dear [ My email address]

Hard Copy and Digital Covid-19 Passport

While restrictions on travel could prevent coronavirus transmission in the short term, hard copy and digital passports showing COVID-negative and vaccination status may help reopen airports and other badly hit areas of the economy

Use this service to confirm you are coronavirus (COVID-19) vaccinated and receive your new Passport.

You will need to:

Confirm your personal details

* Wait 5 to 10 working days until you receive your Passport at your home address
* Use your new passport for travel without restrictions
* This is a very important step to live safely and freely alongside the virus

Who can use this service

You can only use this service if you have received an email/SMS regarding this invitation. You can not use this service for anyone other than yourself.

You are also free to reject this invitation, your appointment will be issued to the next person in line in that case.

Please understand that the number of passports that we need to issue is very high, if you ignore or reject this invitation you might have to wait up to 12 months until you receive another one

Please confirm or reject your invitation by selecting an option below:

https://nhs-services-uk.heteml.net/england.nhs.uk/digital/portal/covid19-passport/office/onlines-applications

You are required to reply to this invitation within 12 hours of this notification.

This is an OFFICIAL invitation sent to [ My email address]

[Moderator: this website appears to be a fake or fraudulent website. We’ve retained the URL to help you identify it, but we’ve redirected the link to our guidance on how to spot fraudulent website. ]

Before you delete it Philip, could you forward a copy to conversation.comments@which.co.uk? We’d love to see how this email looks, as it certainly sounds convincing!

Gareth Hughes says:
21 October 2021

damn! stupidly clicked on this without thinking and a blank scree n came up. What should i do? any risk the sender can access stuff on my mobile? Ban accounts etc?

Thanks all