Skip to main content

Watch out: Omicron variant scams being used to steal your identity

Tinted microscope image of a coronavirus displayed on an Android phone.
(Image credit: photosince/Shutterstock)

Never ones to pass up an opportunity, phishing scammers are now using the media coverage of the new Omicron variant of the SARS-CoV-2 virus, which causes COVID-19, to steal people's personal information and commit identity theft.

It began last week when British consumer-review website Which? (opens in new tab) (the question mark is intended) got several phishing emails forwarded from readers. All the emails claimed to come from the National Health Service (NHS), England's public-health authority, and offered to send readers an Omicron-variant home-testing kit. 

The emails added that every resident of the England needed to take such a test or be required to self-isolate.

"People who do not consent or cannot agree to a COVID-19 test and refuse to undergo a [test] swab must be isolated," the email said.

The email provided a link or button for readers to click on, which took anyone foolish enough to do so to a fake NHS page that, as Which? put it, "asks for your full name, date of birth, address, mobile [number], and email address — more than enough to attempt identity fraud." 

As an option, it also asked you to provide your mother's maiden name as the answer to a "security question." There was also a "delivery fee" of £1.24 (about $1.65 U.S.) to get the supposed Omicron test to you.

Coming to America

Today (Dec. 6), Bitdefender (opens in new tab) reported that it had seen the same scam email repurposed to target U.S. residents, with the purported sender being the federal Department of Health and Human Services rather than the NHS. 

The U.S. version is a bit different. Confusingly, it urges you to "book your slot today" for an Omicron-variant test, which presumably would be done at a clinic or pharmacy, but then later offers to send you a home-test kit.

Instead of providing a link to a website, the U.S. version just provides a phone number to call.

"Individuals who are duped into calling the number will most likely end up speaking directly to the scammers, who plan to trick them into handing over personal information including their credit-card details," Bitdefender's Alina Bîzga wrote in a company blog post.

Needless to say, don't believe any of these emails, or similar instant messages, text messages or social-media posts, if they come your way. There's no COVID-19 testing mandate for the general public in either country, and the tests in-use can detect the Omicron variant along with other forms of the virus. 

What to do if you fall for the Omicron phishing scam

If you do happen to fall for one of these scams, then you're at serious risk of identity theft. U.S. residents should set up a free credit freeze with the Big Three credit-reporting agencies, Equifax, Experian and TransUnion, as well as file fraud alerts with all three bureaus. (You need to contact only one bureau about the fraud alert, and that bureau will notify the other two.) 

Take advantage of the greater availability of free credit reports, because at least until April 2022, you can get a free report from Equifax, Experian or TransUnion every week at annualcreditreport.com (opens in new tab). You'll also want to consider one of the best identity theft protection services.

U.S. residents should also file a fraud report with the Federal Trade Commission at https://reportfraud.ftc.gov/ (opens in new tab) just so the agency can keep track of the scams. And if you happen to give one of these scammers your credit-card number, contact the bank that issued the card right away and notify them that there might be fraudulent charges on the way. You may have to be issued a new card.

If you're a U.S. resident and someone does end up using your personal information to commit fraud, then you may need to file a police report. That's the first legal step in reclaiming your identity and making sure you won't be held liable for fraud committed by someone pretending to be you. We have more information in our guide about what to do if your identity is stolen

In the U.K., you should apply for Protective Registration (opens in new tab)  with the fraud-prevention service Cifas. Protective Registration costs £25 and places an alert with your file in the National Fraud Database, which lasts for two years. You can also get free credit reports from each credit bureau's UK website: Experian (opens in new tab), Equifax (opens in new tab)  and TransUnion (opens in new tab).

And as in the U.S., you also should contact your credit card's bank if you gave the number to the scammers.

Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.