Santander warns of fake NHS Covid-19 scam which has conned customers out of £880,000 so far this year

 Unsuspecting Britons have been conned out of £880,000 through fake NHS Covid text scams claiming they had come into contact with a virus case since January, Santander has warned.

The bank said people are being scammed out of £5,600 on average, with one couple even transferring more than £20,000 after fraudsters send the victims a link to a fake NHS website to order a PCR test. The website then asks for their personal details and a small amount of money is requested to cover postage for the PCR test – meaning the payment card details can be harvested by the fraudster.

The thief then contacts the intended victim pretending to be from their bank and convinces them they are being scammed and they need to move their money into a ‘safe account’.  

Unsuspecting Britons have been conned out of £880,000 through fake NHS Covid text scams claiming they had come into contact with a virus case since January, Santander has warned. Pictured, an example of a bogus text a person might receive 

People are being scammed out of £5,600 on average, with one couple even transferring more than £20,000 after fraudsters send the victims a link to a fake NHS website to order a PCR test 

Top tips to stop fraud 

Criminals will offer 'travel deals' to obtain your money and information. Websites may look genuine, but subtle changes in the URL can indicate they are fraudulent. Websites may use images of luxury villas and apartments that do not exist. These are offered for rent, often at discounted prices and require deposits which are never returned.

Where possible, book directly with an established hotel or through a reputable travel company/agent that is a member of a trade body such as Abta or Atol.

Always use the secure payment options recommended by reputable online travel providers and do not accept requests to pay separately via a bank transfer.

Where possible, use a credit card when booking holidays over £100 and up to £30,000 as you receive protection under Section 75 of the Credit Consumer Act.

When travelling in the EU, people will be able to access emergency and medical care with a Global Health Insurance Card (GHIC). This card has replaced the European Health Insurance Card (EHIC). Criminals are asking people for payment details, when the GHIC is free. They are advertising cards on fake websites that emulate the NHS. They claim to either fast-track or manage your application process before charging an up-front fee. 

Criminals may also target people with fake 'Covid certificates' and 'passports'. Often posts include a link to a fraudulent website, used to steal personal and financial information.

The name on the safe account is often someone else’s and the fraudster will concoct an explanation for why it is not in the customer’s name. In reality, the account is controlled by the fraudster.

Once the money is sent, all contact is cut off, and victims’ details are sometimes sold on to other criminals.

In one case seen by the bank, ‘Mrs D’ received a text purportedly from the NHS warning her she had been in close proximity to someone who had tested positive for the Omicron variant. She clicked on a link in the text to order a PCR test and paid £1 for postage.

She then received a call from someone claiming to be from the Santander fraud team, who advised her she had recently fallen victim to an NHS PCR scam and that her account was at risk.

She was told she needed to move her money to a safe account immediately. The account details provided were under someone else’s name.

When Mrs D transferred the money, confirmation of payee – the system used by many banks that checks whether the account name matches the account number provided – confirmed the account was registered to someone else but she continued with the transfer.

Once the transfer was complete, the fraudster asked to speak to her husband. Mr D was advised to move his money from his joint account with his wife into his sole account, as his wife’s details were apparently compromised.

He was then provided with the same account details as his wife and told to transfer his money to the safe account. In total, Mr and Mrs D transferred more than £20,000 to the fraudster.

Chris Ainsley, head of fraud control at Santander UK, said: ‘Be on high alert if an SMS or email includes a link to a website, however genuine the website may look, and never feel pressured to move your money.

‘No bank or legitimate organisation will ask you to transfer your money to a safe account – ever.’

Santander said if someone is contacted by a person claiming to be from their bank, the police or any organisation and they are asked to move their money, they should stop, end the call and call their bank, making sure to use a number they trust.

If they think they have fallen victim of this type of scam, they should report it straight away, the bank said.

Adam French, Which? consumer rights expert, said: ‘Throughout the pandemic, fraudsters have used every change in Covid rules as an opportunity to create new scams to part people from their hard-earned cash.

‘These scam NHS texts offering PCR tests are no exception. People should be on high alert for scams and if in any doubt, should verify the text directly with the NHS or their bank before giving any personal or bank account details.

‘Which? is calling on banks and businesses to sign up to its SMS best practice guide and commit to taking steps to help prevent their customers falling victim to fraud.’

During the pandemic, there was a massive spike in coronavirus-related cybercrime, including fraudsters using fake NHS Covid apps to dupe victims. 

As Britain’s vaccine rollout began in January 2021, vulnerable Britons were targeted with fraudulent messages offering them access to coronavirus vaccinations. Pictured, an authentic letter received by residents on the Isle of Wight

Experts oversaw a 15-fold rise in the removal of online campaigns in 2020-21 compared to 2019, according to the National Cyber Security Centre.

There was a jump in the number of phishing attacks using NHS branding to dupe victims, with the Covid-19 vaccine rollout used as a lure via email and text message to harvest people's personal information for fraud. 

HM Revenue & Customs remains the most copied brand used by fraudsters, totalling more than 4,000 campaigns, followed by the Government’s gov.uk website, and TV Licensing. 

As Britain’s vaccine rollout began in January 2021, vulnerable Britons were targeted with fraudulent messages offering them access to coronavirus vaccinations.

The Chartered Trading Standards Institute (CTSI) said that text messages had been sent out including links to fake NHS websites that asked recipients for bank details, supposedly for verification purposes.

Such messages were first reported at the end of December on the Western Isles of Scotland, but the CTSI said they were ‘by no means limited to the region’.