Beware! COVID-19 Omicron-Based Phishing Campaign Underway in the UK
Bad actors are at least as aware of new Covid-19 strains and variants as the medical community, it seems. With the Omicron Covid-19 variant still being closely monitored and with data still being collected on it, hackers are already making illegal profits from the new wave of hysteria brought on by the new variant.
After the World Health Organization issued an official statement, highlighting the new named strain of the Covid-19 virus as a cause for "concern", headlines spread faster than a wildfire, and the world was once again focused on the pandemic, more so than in recent months. Threat actors did not wait for a second invitation and got to work, launching a new phishing campaign focused on the Omicron variant.
Threat actors are going all-out in this new campaign, spreading phishing messages using not just emails and text messages but even personally calling people on their phones. The targeted area appears to be just the UK so far.
The bait used in the new scam campaign is a message tailored to look like legitimate correspondence from the UK National Health Service. In essence, the bait consists of the false promise of a free PCR test.
The structure of the phishing messages follows the usual rules of social engineering used regularly by hackers - confusion, lies and attempts to instill fear. The messages claim that conventional PCR tests cannot identify Omicron and people who refuse the test will be "isolated". If you ever get this far through the message, you probably also notice that the message is full of grammatical issues and inconsistencies and certainly doesn't look like something the official authorities at the UK NHS would ever publish.
However, hackers rely on panic, fear, and impulse reactions when the victims receive those messages, and those often work to the hackers' advantage.
Clicking the malicious link inside the messages leads to a mock-up of a fake NHS page where the victim's full name, phone number, date of birth and address are all harvested. All of this constitutes personally identifiable information and can be used in a number of malicious ways by the party collecting this information illegally.
The only thing users are advised to do in such cases is keep a cool head and fact-check every scary message they get on their phone or in their inbox before acting on it out of panic and on impulse.