The ‘NHS Test and Trace’ system is up and running in England to reduce the spread of coronavirus. The last thing I expected was to receive a telephone call this morning informing me that I needed to self-isolate for 14 days. Thoughts raced through my mind about who I had been in contact with over the last week. Then onto who else I could have passed the virus on to — then compounded by the death rate over 38,000 people in the UK and 350,000+ globally. Then within a few seconds, my thoughts changed from potential consequences to one of scepticism about the call itself. Instead of thinking about family and friends, I found myself wearing my information security hat again, and everything about the call felt wrong.
During the daily press briefing over the weekend, Dr Jenny Harries, deputy chief medical officer for England, said “it will be very obvious”, when asked how people would know if the call was genuine. However, I don’t believe this will be true for all fake calls of this nature. The level of fear surrounding the coronavirus is off the scale, and people respond differently to fear. Fraudulent coronavirus telephone calls will exploit the fear people are experiencing
- The caller didn’t introduce themself by name, but rather brushed over the introduction quickly into wanting me to confirm my date of birth for identification purposes
- The caller wanted to know who I had spent time with recently – the caller refused to tell me who I had been in contact with on the grounds of patient confidentiality
- The caller wanted to know where I had been while outside my home – the caller refused to tell me where or when I had contact with a Covid-19 carrier
- The caller evaded question from me, by asking more questions; which all required me to provide personal details. It felt like an attempt to drown out my thinking on the matter so that I would respond from panic and fear rather than rational thought.
- The call came through to my phone as an unknown number – official information states that the incoming call should be from 0300 013 5000. It is worth noting that the caller-ID can be spoofed, so the correct number could still be a fake call.
- The tone of voice had more in common with professional sales staff working the streets to sign people up for monthly charity contribution or those that want you to change your Gas, Electricity or Broadband provider. Nothing said gave me the impression that the call was genuine, or that the caller had any health services experience.
These factors collectively supported my quickly formulated opinion that the call was fake.
Very quickly, it became apparent that it was a tactic to get me to provide the information, which they could confirm as the reason for me needing to self-isolate. The caller wanted information from me, but failed to demonstrate any credibility that they were genuinely acting on behalf of our National Health Service. I ended the call. The caller has not yet called again. I can speculate as to the direction of the telephone call had I answered questions without thinking, but will reserve that for a follow-up article.
The problem is that too many organisations call their customers, and expect people to identify themselves, so people are used to the idea of answer security questions whenever an organisation calls them. There is no way to know for sure if these types of calls are 100% genuine, and the only real defence is to politely inform the caller that you will call the NHS Track and Trace helpline to discuss the matter in detail. Calling the official contact telephone number is something that I always recommend when financial institutions call their customers. The same applies in this case. The contact telephone number, along with additional information is available at
Contact tracers should ask people to call the official contact telephone number to discuss the matter; this will allow proper dialogue to take place. As this is unlikely to happen, the security measure is as follows:
- Accept the call. The caller will identify themself as calling from the NHS Test & Trace team
- Thank the caller for making contact
- Inform the caller that you will contact the NHS Test & Trace team directly on the official contact telephone number
- End the call and obtain the correct telephone number from an authoritative source.
- Contact the NHS Test & Trace team directly
If we are going to self-isolate for 14 days, the least we should expect is to know and understand the conditions in which we potentially became infected with Covid-19.
This article is one that I wish I never needed to write. However, it was inevitable that with something so life-changing as coronavirus, widespread fear and anxiety would be open to exploitation for malicious purposes
Updated – 2nd June 2020
Thirty hours have elapsed since I received this call, and I have not received any further contact on this matter. If this were genuine, someone would have attempted to contact me again by now given the importance of the test and trace programme.
Information security consultant with over 20 years’ extensive experience gained across a diverse range of private and public industry sectors including insurance, banking, telecommunications, health services, charities and more, both in the UK and internationally. Graduated in 1997 with a software engineering degree and specialising in cyber security, risk analysis, compliance reporting and access management.