We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

20 Apr 2020

How to spot and stop fake coronavirus texts and emails

Coronavirus has sent scammers into overdrive. Find out how to avoid one of the most prevalent threats: phishing and smishing

Misinformation is a problem at the best of times, and during the current crisis, scammers are finding ever more creative ways to prey on our concerns.

We've all had SMS messages from the NHS and the government urging us to stay at home and observe the coronavirus lockdown, and alongside those of course come the scam emails and texts. But do you know how to spot them? We've got some pointers on the red flags to watch out for.

Read the latest coronavirus news and advice from Which?

Video: how to spot and stop coronavirus scams

Find out more about what to watch our for, and how to avoid becoming a victim.

What are 'phishing' and 'smishing' threats?

You're probably familiar with typical phishing threats - legitimate looking emails that are designed to tempt you into divulging sensitive information, such as your bank account details, usernames or passwords. These are often designed to look exactly like communication from someone you trust - your bank, an online payment provider like Paypal, or even the UK government.

From emails that arrive in our inboxes claiming to offer tax refunds, to those imploring us to 'verify' our account details and announcing that a Nigerian prince would like to park hundreds of millions of dollars in our bank accounts, the threats are wide and varied, and now they have evolved.

'Smishing' is another form of phishing that employs the same techniques, but this time through a text message to your phone.

The same scammers are still out there, hoping to cash in as we navigate our way through the torrent of information and advice from official bodies, but now they're sending out text messages designed to look like genuine texts from the NHS and the government.

Examples of recent smishing messages

So what should you look out for?The same principles apply to SMS messages as to emails - look at the URL they want you to tap through to. Here are two examples:

In both of these, at first glance they look as if they might be legitimate: they both want you to focus on the part of the url that says https://uk-covid-19, which looks as if it might come from the government.

Before we go any further, note that genuine texts from the government come from gov.uk and the government's own coronavirus website is https://www.gov.uk/coronavirus. Anything else is a scam.

These examples both mimic the genuine text we were all sent at the end of March. The real text started with capital letters and included a link to the government's own coronavirus website.

As a reminder, here is the genuine text we all received from the government.

That caused security experts some dismay, as the advice given to organisations is not to include links in texts and emails precisely because scammers often put links to their phishing websites in texts.

So it's more important than ever to pay close attention to a link sent to you in a text or email. And as with all phishing attempts to trick you into handing over your details to the scammers, the way to tell if a link is a scam is to look at the end of the URL.

How to spot smishing attempts

This is where it gets a bit technical, but with some practice, you can become quite adept at spotting and avoiding phishing and smishing attempts that perhaps aren't immediately obvious.

In the first example above, the scammers have used a subdomain. This is a way of organising websites to help people navigate to the right place, and you can create as many subdomains as you like on a domain you own.

For example, https://computing.which.co.uk/ and https://conversation.which.co.uk/ are both subdomains of the which.co.uk domain.

Here, the scammer has created uk-covid-19 as a subdomain of webdirect.org to create the uk-covid-19.webdirect.org URL, hoping that the person receiving the text will focus on the first part of the address and not notice the full domain name.

In the second example, the scammer hasn't bothered with a subdomain, but has simply bought the website address uk-covid-19-relieve.com. The aim is the same, however: they want you to focus on the first part of the website address, and in both cases they've aped the formatting of the genuine text from the government.

We're pleased to report that the websites those texts tried to get you to click on have been taken down.

What to do if you suspect a phishing or smishing attack

So what should you do if you get a text or an email that looks as if it might be from the government or another official body?

The first thing to do is - nothing. These are designed to jolt you into action: in some cases they'll be trying to panic you, such as by claiming that you owe a fine for breaking the lockdown conditions.

In this example, they're trying to get you to ring the number - don't. In other cases, such as our examples above, they're trying to encourage you to go to the website to claim the non-existent money.

Second, once you've caught your breath, have a look at the website and apply our tips. Is it a genuine government website? If you're in doubt, don't tap on the link but instead open your browser and go to the genuine website yourself. You'll quickly see if there's something there that corresponds to the text you've just received.

Third, you can report the texts to Action Fraud, which takes action against fake websites.

And fourth, block the sender on your phone so that they can't send you any more scam texts, or if it's a phishing attempt via email, use your email provider's spam controls to report the message as spam.

Finally, armed with these tips, it's worth testing how good you are at spotting scams by taking Google's own online phishing test. Don't worry, it's safe to put the information they ask for into the site.