/ Scams

Warning: new fake NHS COVID Pass emails and texts

Scammers are hoping to cash in on any confusion around the end of pandemic restrictions – watch out for these fake emails and texts.

The NHS COVID Pass was recently launched so people can show their COVID vaccine or test status, which might be needed to travel and gain entry to some events.

Vaccine passes are completely free. You can download a digital version using the NHS app, or ask for a physical copy to be posted to you.

But fraudsters have been sending out fake NHS branded emails, falsely inviting people to apply – and pay – for a pass. We’ve also seen fake text messages along the same lines. These texts can be especially convincing as the NHS does contact patients using text messages.

Examples of fake NHS COVID Pass messages

Here’s one of the phishing emails we’ve seen:

And here’s a text message that links to a copycat NHS site that aims to steal victims’ personal and banking details:

We know that scammers used similar tactics when the vaccine became available. The NHS Counter Fraud Authority (NHSCFA), which works to fight and prevent fraud affecting the NHS, told us:

Criminals are using the COVID-19 vaccines as a way to target the public by tricking them to hand
over cash or financial details. They are sending convincing-looking text messages letting people
know they are eligible for the vaccine or phoning people directly pretending to be from the NHS, or
local pharmacy.

The NHSCFA have put together guidance and advice to help anyone who may be a
target of these kinds of scams – COVID-19 vaccine fraud (cfa.nhs.uk)

NHS COVID passes are free of charge and can be obtained through the NHS website and app.
Instructions on how to get one are detailed here.

If you believe you are the victim of a fraud relating to the COVID-19 vaccine, please do not report
this to the NHSCFA. Please report it to Action Fraud, forward any suspicious emails to
report@phishing.gov.uk, and forward suspicious texts to 7726.

How to deal with NHS-related phishing

The best way to avoid text message scams is to never follow the links in texts that claim to be from organisations or companies.

Experience: “How I almost fell for the fake vaccine text”

If you get a text purporting to be from the NHS that you’re not sure about, check the details with your GP surgery or NHS service.

Guide: how to spot a text message scam

Guide: how to get your money back after a scam

Phishing emails should be reported to the National Cyber Security Centre on report@phishing.gov.uk

Fake texts (smishing) can be forwarded to 7726 (spells SPAM on the keyboard).

Have you been targeted by these fake NHS messages or similar? Let us know what happened in the comments, and help us spread the word by sharing these warnings with your friends and family.

AnnaT says:
15 July 2021

When you get a suspicious email you should always click the sender as this should bring up the email of the sender. If this is obviously different to the purported sender, then beware as its likely a scam. Be careful though as some unscrupoulos person may have come up with an email that is so close to the original as to be very difficult to detect.

Veneda Budd says:
15 July 2021

I’ve had one of these, reported, blocked and deleted!

Mar M. says:
15 July 2021

I clicked on the link in the phishing mail out of curiosity to see what they hoped to achieve but it seems it has been deleted.

Hi Mar M,

That often happens within 24 hours of those messages going out. Either the sites are taken down or built-in browser security software blocks the sites.

I know this because I also also click on some of these links.

But, because clicking on a link risks bad things happening, I’ll only click on these links from spare devices and never from any of my main devices. Ten years ago, my Windows 7 PC caught a nasty virus after I clicked on an apparently benign link in a motorcycling forum.

Mar M: you should NEVER click on links especially if you suspect or are certain that it is a phishing email. Some will take you to a blank page or some other innocuous result, meanwhile your device is receiving malware/spyware.
Not all phishing messages want you to do something next, clicking on the link is enough.

Peacheater, as my Windows 7 experience showed, clicking on all kinds of apparently innocent looking links can also trigger “drive by” downloads.

Hence it makes good sense to be very careful whenever you are surfing the net and to make sure that you have good security software to prevent such incidents.

This is particularly true when using Windows, and especially so when using a Windows account with administrator rights. Other OSes are not invulnerable either…

Teddy says:
15 July 2021

I had one from DVLA saying my direct debit for car tax had been cancelled by bank and now car wasn’t taxed! I beieved part of ir in that I had just recently taxed my car but not using DD. I thought they had just made a mistake…thankfully II didn’t click on link taking me to “how topay by DD but replied to sender. It came back as unknown….I checked on DVLA website and saw my car was taxed….that was a close call and its easy to be caught off-guard. Thanks for info as didn’t know just clicking a link could cause problems without taking any further action.

Eileen Damsell says:
15 July 2021

NHS: You are eligible to apply for a Covid Pass proving you have been vaccinated against COVID-19. You can apply for this here: https://nhs-uk.application-onlineform.com
I recognised it as a scam and forwarded to 7726

[Moderator: this website appears to be a scam website. We’ve retained the URL to help you identify it, but we’ve redirected the link to our guidance on how to spot fraudulent website. ]

Information about the Covid Pass can be found on the NHS website: https://www.nhs.uk/conditions/coronavirus-covid-19/covid-pass/

Michael Caudwell says:
15 July 2021

I thought I probably do not need one, but why not. Information provided is confusing re “passports”.
Reached enter a card details and this was a lightening strike. Ceased and deleted.

Pat Shepherd says:
15 July 2021

Yes, I got one but knew it was fake because I knew we weren’t being charged. I also checked with my sone who is a consultant in the NHS just to be sure. Then I forwarded it to Cyber fraud website and binned it.

Steven Kernick says:
16 July 2021

Steve k
I clicked on the link on 12/7 and supposedly paid £1.99 on my credit card .but then I think it was blocked as no money was taken. However I did receive a QR CODE (which is supposedly bogus) .I did a screenshot and saved it in photos. Do I need to do anything else?

Hi Steve,

Good to hear that it may have been blocked, though best to still report this to your credit card provider, confirm no money was taken, and aim to keep an eye on your account for suspicious activity going forward.

You’ll also want to keep an eye on any accounts linked to any personal information you may have given as part of the transaction – for example, if you provided an email address, it would be a good time to change your password, implement two-factor authentication if available and not already done. There’s more advice on our Scams Protection checklist: https://www.which.co.uk/consumer-rights/advice/how-to-spot-a-scam-alFiz5h8mnJ9

Mrs Christine Russell says:
16 July 2021

I had one of these emails, I noticed the email address looked a little odd. Although it said it was from NHS the address was NH…… I passed it on to “report@phishing.gov.uk, it did look authentic though. I am suspicious of everything though after all the scams that have happened.

Bill Seymour says:
16 July 2021

I had the text offering the NHS Covid Pass and a website link to click on. In stead I phoned the mobile number from which the text had been sent and was (happily) greeted with “the number you have dialled has not been recognised”. I thought it was a scam to start with and now I know it is.

Lee F says:
16 July 2021

I had one of these emails and it does look convincing, but I am very wary of any emails especially generic ones not titled to me. I always look at the email sender in the first instance and often that is a red flag. I did report this to the counter fraud unit and feel satisfied I was right.

Mark Gourley says:
16 July 2021

Exactly. Always beware of any communication addressed to “Dear Sir/Madam” rather than to you personally by name!

It amazes me that despite ALL the publicity and repeated advice “do not click on links” in the media and on TV consumer programmes, people STILL do it.
Similarly (but unrelated to this thread) despite the repeat advice not to, people STILL pay for things solicited online or in email by direct bank transfer (and now expect the banks to refund them every time).