Category Archives: Security

COVID-19 Corona Virus and NHS Test and Trace

The COVID-19 Virus

The UK’s NHS today launched its COVID-19 “Test and Trace” system in England.

I have seen no discussion of fraud, but this system is an open invitation for scammers and fraudsters.

People will apparently get unexpected phone calls from NHS “Test and Trace” telling them they have been in contact with the COVID-19 infection, and they must immediately self-isolate for 14 days. The phone call will also ask for details of who they’ve been in contact with. It seems the “Test and Trace” system will use all sorts of methods – maybe including one’s use of credit cards – to track your movements and who you may have been in contact with.


Scammers will exploit this. They have shown that they are more than willing to use fake emails (for example, pretending to be Microsoft, HMRC, the police, BT and so on) to get you to respond (or click on a link) to provide more details about yourself. They will then use these details – sometimes in very creative ways – to steal your money, get access to your emails (and thereby steal your money or get your relatives of friends to lose money) and so on.

Scammers and fraudsters are also very happy to use phone calls that start “This is Microsoft” or “This is Windows Support” or “This is BT” to involve you in a scam which will end up with you losing money.


So you can be sure scammers will soon start making phone calls that start “This is NHS Test and Trace” and end up costing you money, sometimes thousands of pounds. Banks (or credit card companies) don’t usually refund this money because “you were negligent in giving out confidential details”.

All far as I know, there is no way to check if a “Test and Trace” call is genuine. The government doesn’t seem to have thought of this. It’s not clear yet what information a genuine Test and Trace call will ask you for, or what you might believe, but it could quite feasible involve credit card details or other private information. And they might quite well say “it’s the law, you have to tell us” (which is isn’t, and you don’t).

HOWEVER, if you’re happy to tell them more-or-less public information like your credit or debit card numbers, your bank account number (it’s on every cheque you write, after all) or your email address, I wouldn’t tell them any security information. They don’t need to know any passwords, PINs, login details, “memorable data”, security answers, and so on.


This is old advice: you shouldn’t click on links in emails, trust any website (unless you know how to check), or believe any email is from who it says it is. Emails that start “Hello” or “Dear Customer” are not being sent to you personally, so your account hasn’t been suspended, you haven’t won the lottery or become eligible for a refund or compensation.

So it’s the standard advice, nothing new, but a new opportunity for fraud. Fraudsters are clever, ingenious, resourceful, and convincing. Always be on your guard. Just as you don’t cross the road without looking, don’t trust something because it’s on your commuter, found by Google or “looked trustworthy”. Be suitably suspicious!

Good Password Practice

My customers are getting a lot of scam e-mails that say, in essence:

“I an a hacker and I know your password is tulip123. I have recorded you looking at porn. If you don’t send me £1,000 in the next 24 hours, I’ll send an embarrassing video of you to all your friends and contacts”.

In my example, the person getting the e-mail really does have a password of tulip123, so it’s all a bit worrying.

The e-mail is a try-on, of course: the “hacker” doesn’t have an embarrassing video of you. But how does he (or she, but I’ll use “he” here) know your password?

Well, he doesn’t. He’s not even a hacker; he’s most likely bought a list of e-mail addresses and password from somewhere, and is e-mailing each one to try to extort money. I guess it works, or at least the perpetrators think it will, because it’s very widespread.

Note he doesn’t say what password. Is he claiming he knows my mail password, my Amazon password, my PayPal password, my computer logon password, or what?

They’d all be different, right?

You can check if any of your passwords are for sale. Just put in your email address here. (I wouldn’t normally suggest putting your email address – and especially not a password – into a web page, but this one is well-known, has been around for a long time, and seems to be reputable. But as you’ll find, in the world of computer security, trusting the things are what they seem may be unwise.)

Here’s what I got:

As you can see, I’m on Linked In – and my email address and password (my credentials) were revealed in a “breach” that Linked In suffered in 2016. (I’ve since changed them.)

If I had used my Linked In password and e-mail address for, say, my Amazon account, anyone who had my LinkedIn credentials would also be able to log into my Amazon account. That’s why it’s very unwise to re-use passwords.

But what about the passwords themselves. I wonder how easy mine might be to guess? Well password-cracking programs exist, and they are pretty good. They are cleverer than you’d think – they start with common passwords – things like secret123 and welcome123 and pa55word – before going through all the combinations.

The same website that I mentioned above can also check all the passwords that have been revealed on the “dark web” and tell you how many times a password you are considering has been used and revealed. I tried tulip123:

And Tulip123:

And tuliP123:

So, here’s my four rules for passwords:

  1. Make each one different.
  2. Make them a random set of number, digits and symbols.
  3. Make them at least 12 characters long.
  4. Write them down in at least two places, and keep the list up to date.

All this means you’ll have to use a program to generate, store and back-up your passwords for you. Using a Password Manager is the only sensible way to handle passwords. I have an article on password managers here.

Finally, consider using Two-Factor Authentication (2FA) for important passwords. The most common form of 2FA sends a code to your mobile phone every time you log in from your computer, and you have to type in this code as part of the log in process. But don’t do this for mail if you use a mail program (sometimes called a mail client), for example Microsoft Outlook. In that case, see if your mail provider support the use of an Application Password when using a mail client. Gmail and G Suite do, but BT, Yahoo, Sky, TalkTalk and so on mostly don’t.

PS: When I ask people which is their most important password, they usually answer “the bank” or similar. In fact, it’s not: for most people, their mail password is their most important password. This is because once someone knows your mail password they can sit back and watch every mail item you receive (and possible every mail item you send). They can do this from their own computer anywhere in the world – they doesn’t need access to your computer. Now consider what happens if you forget the password to (say) you Amazon account … Amazon sends a link to your e-mail which will allow you to re-set your Amazon password. So anyone who knows your email password can probably change any other password to one they know.

Additionally, If someone else can read all your e-mails, consider what happens if you’re buying a house, say. The day before you are due to send your solicitor the deposit, you get an email from him/her (the solicitor, as you think) mentioning they have changed their bank, and would you send the money to their new account, as follows. It looks genuine, is signed in the normal way and with the right name, and has all the right logos, so you believe it … and lose you money. The person with your mail password saw you were about to send a large amount of money (by reading your email) and was able to see exactly how he or she had to make the fake e-mail look. He had a newly set-up account waiting (scammers often trick someone else into letting them use their account), you transferred the money to it, he transferred the money into Bitcoin and closed the account. No trace.

There are plenty of well-documented examples of this. Google found me these three, but there are plenty of others. Protect that email password!

How to avoid solicitor conveyancing email scam that costs house buyers

Property sellers warned not to email solicitors: ‘We lost £204,000’

More Reading


Password Cracking Evolution
Top Ten Password Cracking Techniques used by Hackers
Testing a Password Cracker

Password Strength Testers

These sites say they don’t store your passwords, or even send them over the Internet, but I haven’t checked them.

Password-protect a spreadsheet

It can be useful to protect an Excel spreadsheet with a password, for example before sending it by e-mail. Password-protected files are also encrypted, so there’s no way of seeing their contents without knowing the password.

You can do the same with Word documents. The process is virtually identical to that described below for Excel.  Access databases can also be password protected, although it’s a little more complicated (look for File | Info | Encrypt with Password).

Here are step-by-step instructions for putting a password on an Excel spreadsheet. Continue reading Password-protect a spreadsheet