Recent reports have raised concerns about the possibility of an influx of phishing attacks in the UK with the rollout of the National Health Service (NHS) contact-tracing app. As lockdown restrictions are lifted, NHSX, the digital branch of the NHS, will be releasing the app as part of continued health measures.
The release of the app has been frenetic and stinted following privacy and security concerns. Some reports have indicated that the NHS is also developing a second app in conjunction with Apple and Google, though it remains to be determined which one will be used in the final rollout.
How would potential attacks work?
Jonathan Martin, who serves as the EMEA partner director with cybersecurity company Anomali, believes the most significant threat posed by the app internal NHSX app will be an increase in phishing attacks. He told Forbes:
No-one knows where to get the app from, so consumers can expect floods of emails with bogus links (to convincing looking domains) to download the app from.
These links will most likely send users to “a web page that will ask people for more personal information than the genuine app, and will then not even have an app to download. The information will be used in future attacks against the individual,” says Martin.
Smishing is also a problem
Jonathan Miles, who serves as the Head of Strategic Intelligence and Security Research at Mimecast, has similar concerns about the potential increase in phishing and smishing attacks. (“Smishing” refers to SMS-text message phish attacks.) Smishing attacks may pose a higher risk in this case, he says, “Due to the smaller screen real-estate, people will be less able to check the veracity of the link so will be more trusting and will click it.”
But phishing and smishing attacks don’t even cover the full extent of the threat: bad actors on the streets may also exploit contact-tracing efforts in order to do “drive-by” attacks where they are able to trick people into believing that an infected person is walking in a certain area, and thus effectively clear all others from an area. This enables them to commit a crime physically in the location while making sure no one is there to see it. Miles explained to Forbes the such would-be criminals “develop apps that beacon out pretending to be an infected person. For example, the attacker walks down a street so that near-by phones will receive the alert and inform the owner that they have to self-isolate and test.”
Cyberattacks in the coronavirus era
The world has already seen a spike in phishing attacks since the onset of the coronavirus pandemic. Security firm KnowB4 reported a 600 percent increase in phishing attacks in the first quarter of this year, and Google says it has been blocking 18 million COVID-19-related phishing emails a day.
As always, the best way to protect yourself from phishing attacks is to never open emails from unknown senders, don’t click on links in emails that look suspicious or are from unknown senders, and be cognizant of questionable senders or subject lines. Finally, never enter your credentials on a site via an email; instead, go to the app directly and check your account to see if any issues need your attention. For more information on cyberthreats in the coronavirus era, check out this post.