NHS Test and Trace Scam: What’s Real and What’s Not

In September 2020, the NHS ‘Test and Trace’ COVID-19 contact tracing app launched in England and Wales. Based on APIs from Apple and Google, the app uses Bluetooth technology to track time and distance between smart devices.
Man using a covid-19 test on a table
Table of Contents


The app also makes use of QR code check-in at venues such as bars, restaurants and cinemas to measure the impact of a COVID-19 outbreak and contact customers who may have been affected.

From a security perspective, this is much more secure than having the venue collect and store data themselves.

Contact tracing works by asking people who have tested positive for the virus to share the details of others who they have been in contact with who could have caught it from them. This could be a crucial step in lowering the infection rate of Coronavirus. Unfortunately, cybercriminals are exploiting the contact tracing system to gain access to sensitive information and even make money.

The Phone Call

Cybercriminals are impersonating the NHS and even spoofing the real NHS Test and Trace phone number (0300 0135 000).

Take a look at how one conversation between a cybercriminal and a potential victim plays out:

Criminal: “Good afternoon I’m calling from the NHS test and trace service. According to our system, you are likely to have been in close proximity to someone who has tested positive for COVID-19. This means that you now need to self-isolate for 7 days and take a COVID-19 test.”

Potential Victim: “OK. Can you tell me who that person was?”

Criminal:  “I’m not able to tell you that. That is confidential information.”

Potential Victim: “Right. Um… so ….”

Criminal:  “But you do need to be tested within the next 72 hours. So can I just get the best mailing address so that we can send a kit to you?”

Potential Victim: “Ok (gives address)”

Criminal:  “I just need to take a payment card so that we can finalise this and send the kit to you.”

Potential Victim: “Sorry – a payment card? I thought this was all free?”

Criminal:  “No – I’m afraid not. There is a one-off fee of £50 for the kit and test results. Could you read off the long card number for me, please, when you’re ready.”

Potential Victim: “No – that’s not right. This is part of the NHS so there’s no charge.”

Criminal:  “I’m afraid there is. Can you give me the card number please – this is very important, and there are penalties for not complying.”

In difficult and unprecedented times such as these, your vigilance towards cybercrime can be skewed. It is firstly important to know that cybercriminals are exploiting the NHS contact tracing system, and secondly, to know the correct and official procedure in which this situation would occur.

On a genuine call, contact tracers will never:

  • ask you to dial a premium rate number (for example, those starting 09 or 087);
  • ask you to make any form of payment;
  • ask for any details about your bank account;
  • ask for your social media identities or login details, or those of your contacts;
  • ask you for any passwords or PINs, or ask you to set up any passwords or PINs over the phone;
  • ask you to purchase a product – including a test;
  • ask you to download any software to your device or ask you to hand over control of your PC, smartphone or tablet; or
  • ask you to access any website that does not belong to the Government or NHS.

If you receive a call from somebody claiming to be from the NHS, and they ask you to do any of these things, hang up and report the call:

  • to Action Fraud, by calling 0300 123 2040 or by visiting its website, if you are in England, Wales or Northern Ireland; or
  • to the Police, via 101, if you are in Scotland.

Other useful information around Test and Trace includes:

  • Text messages about Test and Trace will be always be sent from ‘NHStracing’ which is a protected sender ID
  • You will only be asked to pass on the details of anyone you have been in contact with if you have tested positive or have developed symptoms.

How to spot a phishing email

Woman typing on laptop in a dark room with light overhead

Penetration testing vs vulnerability scanning: Why your organisation might need them

Man with glasses typing on laptop with light shining down

Best practice for business passwords 2024