We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

6 Apr 2022

NHS Covid test scam exposed

Watch our video to find out how NHS Covid test scams work
NHS logo

With recent changes to the Covid testing rules, fraudsters are impersonating the NHS in a series of constantly evolving scam text messages.

From April, the majority of people living in England need to pay for lateral flow tests, unless you meet certain criteria. In Scotland, some free testing will continue until Monday 18 April. In Wales, free PCR tests ended in March, but free lateral flow tests will be available until June. But, no changes to Covid testing have been confirmed for Northern Ireland yet.

Unsurprisingly, scammers are taking the opportunity to capitalise on the Covid testing changes, sending text messages asking you to order a test and pay a delivery fee.

Here we show you what the scam looks like and how it works. We also explain how to report it and where you can buy genuine Covid tests.

Sign up to free Which? Scam Alerts and outsmart the scammers.

NHS Covid scam text

While we found many examples of this scam with slightly different wording and web addresses, the premise remains the same:

  • It says you need to order a Covid test
  • It includes a dodgy link to a fake NHS website
  • You're asked to pay a delivery fee of around £1-£2

The copycat NHS website looks seemingly legit, but we know that scammers can be skilled at copying the branding, style and format of genuine websites. However, the big giveaway is the web address itself, which isn't the real NHS website.

As the video shows, the fraudsters use the scam to steal my personal details and to try and take money from my bank account a few days later. We set up fake details to giveaway for the purpose of this investigation.

Each of the attempted fraudulent transactions were for amounts of no more than just £1. This isn't unusual - scammers often start small to go unnoticed, then attempt higher sums further down the line. This is also the pattern we found when Royal Mail scammers tried to steal £4,000 from my account and when an energy phishing email led to a phone call with a scammer who tried to con me out of £1,000.

Find out how to spot an email scam

How to report a scam

  • Email - forward phishing emails to report@phishing.gov.uk.
  • Text - report scam texts to 7726 for free using the service provided by telecoms providers.
  • Websites - if you've found a fake website, report it to the National Cyber Security Centre.
  • Phone call - if you receive a suspicious phone call, hang up and report the number to Action Fraud or the police if you live in Scotland.

If you think you've shared your details with a scammer - contact your bank immediately. You can also report the scam to Action Fraud or the police if you live in Scotland.

Read our guide for further information on how to report a scam.

Avoiding text scams

The NHS told us they do sometimes include links in their vaccine text messages, these are only to the NHS website for booking and more information - the real NHS website is www.nhs.uk.

The NHS won't ask you to buy a test or hand over any financial details.

Text messages from the NHS should also come from a sender name, not a mobile phone number.

Which? is urging companies to improve text message communications to protect their customers and reduce the risk of impersonation scams.

Our guide for best practice text message communication includes calls on businesses to:

  • Never include a phone number to call back
  • Never use generic shortened URLs for hyperlinks
  • Be consistent in how and why they use SMS communications to contact consumers
  • Protect SMS sender ID, which is the sender name displayed on the text

Businesses at risk of spoofing by scammers should protect their inbound customer service numbers through the UK regulator Ofcom's Do Not Originate scheme. They should also protect themselves against SMS spoofing via the UK's Mobile Ecosystem Forum SMS SenderID Protection Registry.

Help our scams research, policy and campaigns work by sharing your experience of a scam with us.