How to Spot a Fake Contact Tracing Message

Praised by public health officials, contact tracing is rolling out as areas reopen.

And according to the U.S. Federal Trade Commission (FTC), it's also the latest opportunity for cybercriminals.

The FTC warns that a contract tracing smishing scheme is ramping up at the same time contact tracing is expanding. 

What is this new COVID-19 smishing attack?

Hackers and cybercriminals use smishing, which is the mobile version of phishing (a spoofed email), to send a bogus text message (SMS) straight to your device.

This format is particularly useful to contact tracing scammers, as text messages are a component to legitimate contact tracing. 

How can you spot a fake contact tracing message?

According to the FTC, you can spot a fake contact tracing message because it contains a link. Here is one example the agency shared. See the message on the right. 

"Someone who came in contact with you tested positive or has shown symptoms for COVID-19," the message reads. That part alone may be similar to the message you receive.

However, if your message contains a link, do not click it.

In this case, clicking the link will take you to a page where you are asked for personal information that cybercriminals want to capture.

The FTC says legitimate contact tracing messages should not contain a link.

How can you spot a real contract tracing message?

So if the message above is a fake, are there clues that tell you what you received is a legitimate message? Yes.

The FTC says legitimate contact tracing involves a text message and then a phone call, which should go something like this:

"People who had contact with someone infected with COVID-19 may first get a text message from the health department, telling them they'll get a call from a specific number.

The tracer who calls will not ask for personal information, like a Social Security number.

At the end of the call, some states ask if the contact would like to enroll in a text message program, which sends daily health and safety reminders until the 14-day quarantine ends.

But tracers won't ask you for money or information like your Social Security, bank account, or credit card number. Anyone who does is a scammer."

That last paragraph is pretty clear, isn't it?

You get information from a contact tracing phone call, you do not give it.

Contact tracing scams, fake texts and calls

Are you getting unwanted, fake text messages about contact tracing or phone calls from scammers who claim to be contact tracing?

The FTC recommends filtering unwanted messages and calls to reduce the risk and annoyance. You can do this in three primary ways:

1. Your phone may have an option to filter and block messages or calls from unknown senders or spam.
2. Your wireless provider may have a tool or service that lets you block certain texts messages.
3. Some call-blocking apps also let you block text messages.

See the FTC advisory here.