U.S. households can now request free at-home COVID-19 test kits. However, as is the case with other major government initiatives, such as stimulus checks, scammers are sure to try to take advantage. This time, be on the lookout for lookalike websites when requesting your tests. These scam sites may ask for payment or personal information, such as your Social Security number.
How the scam works
You see a post or ad on social media or receive an unsolicited email or text about the free COVID-19 tests. These communications urge you to request your free tests immediately by clicking on a link.
You follow the link to a website that looks official at first glance. It may have the United States Postal Service (USPS) logo, just like the actual website. It also has a form to request your tests. However, when you start filling out the form, you notice something unusual. This fake version may ask you for personal information, such as your Social Security number or Medicare ID. It could also request your credit card details under the guise of needing to pay for shipping. The actual website does not ask for payment or your SSN. Before you know it, you have given up your information to a scammer.
Tips for identifying a fake website
- Look closely at the domain name. One way fake websites trick people is by using a domain name that is extremely close to an actual business’s or organization’s domain name. For example, the correct COVID-19 test request website is special.usps.com/testkits. Scammers may swap two letters or make a slight misspelling. If you find a spelling error in the domain name, you’re not on the official site, and it is best to close the tab. Also, check if the website is secure by verifying it has a lock icon in the URL and includes ‘https.’
- Watch out for tricky subdomains. Sometimes attackers hope you will confuse a subdomain with the domain name. For example, a scammer might use the website address ‘usps.faketestkit.com,’ hoping you won’t notice that ‘faketestkit.com’ is not the correct domain name. A domain name is the word or words directly before the top-level domain (‘.com’, ‘.org’, ‘.gov’, etc.) as well as the top-level domain. In this case, the domain name is actually ‘faketestkit.com’ with the subdomain ‘usps,’ whereas the correct website’s domain name is ‘usps.com’ with a subdomain of ‘special.’
- The correct website asks only for your name and address. You do not need to pay for the tests using the government program – even for shipping. And you will not be asked for insurance details, your Social Security number or any other sensitive information.
For more information
Visit BBB.org to learn more about identifying fake websites and spotting impostor scams. Read about other popular COVID-19 scams and additional testing scams.
If you’ve spotted a scam, report it to BBB Scam Tracker, even if you didn’t fall victim or lose any money. Your report can help others avoid common scam tactics.
