How to spot a dodgy text message and potential phishing attack
So tonight I received a text message about getting a Covid pass to help prove I have been vaccinated, it was listed in the same source as my other legitimate NHS text messages I had on my phone previously.
Clearly I know that I already have the Covid pass on my NHS app; I have used it many times, so straight away I knew this was probably a phishing attack. But I wanted to be sure and I checked various other elements which I will share below to help raise awareness for future, as it’s not always that straight forward.
As it popped up as being from the NHS, on first glance it could be legitimate. I have already had a couple of legitimate NHS messages recently so it’s not out of the blue, but I also know the source sender of a text message could be spoofed to make it look like another, so I paused and took a closer look….
Naturally suspicious; the first thing I did was take a good look at the URL / aka the web address / aka the Domain name that it wanted me to click on.
Why would there be so many minus ‘ - ‘ symbols in there? and I would expect it to be linked to the normal NHS address or a sub domain or a sub link from it www.nhs.uk. It doesn’t look anything like it? more warning signs!
Plus having random words like ‘confirmation’ in the domain name is a further warning sign. Normally domain names would be a bit more generic and have a sub link or webpage that explains what it wants you to do, it wouldn’t be part of the domain name, as that only gives the domain name that single purpose.
For example we have www.3bdatasecurity.com, we don’t have www.Buy-Our-3BDataSecurity-Services-Now.com !!
Next step was to perform a ‘Whois’ on the domain. This time I used a Whois service from Domain Tools, but there are many other providers of such services and for alternatives a quick search engine search will help.
The Whois record shows you some interesting intelligence about the domain www.NHS-Pass-Conformation.com; and does so instantly and for free!
All you do is type the domain you want to look up in the box and click search and you’re presented with something similar to the below.
First thing I did was check the dates…. The domain was created on 2021-10-27, which happens to be today!! Hmmm, I reckon the NHS has known about the Covid pass for a little longer, so why would they be making a new website only today?
The Registrar, this is listed as Porkbun LLC? why would someone legitimate in the NHS IT department pick these guys to buy their domain off, seems a bit far fetched especially as I’m sure the procurement processes in the NHS are probably pretty tight.
The registration company based out of the US, again unlikely the NHS would be doing anything from a US based source.
Also the other details like organisation name and address are private, I wouldn’t expect a public body like the NHS to protect their generic public details by using private domain protection (of course they could, but I wouldn’t expect it).
Let’s just back that up with a little comparison to the known legitimate NHS.UK address Whois record, just to see the difference.
Dates - this one dates back to 1996, now I appreciate Covid doesn’t, but it does date back earlier than around 1500 today when the other domain was created!
IP address - at least it links a bit closer to home than the US.
Registrant name - Department Of Health, well that makes sense doesn’t it?
Registrar, registration type and address - something public and relevant to the NHS, and also what I would expect of a public body and if in doubt I could start looking up the address to match the actual location if I wanted to be sure.
So if you ever receive a link (from a text message or email) that includes a known entity’s name in it and it’s not the exact same address or domain name, you can use this technique to do a quick comparison of the known legitimate one and see what the clear differences are as a quick heads up.
If you then add the other elements I have covered above, you can get a good indication of legitimacy before you even need to click on the potentially ’dodgy’ link.
