BBC Breakfast is the flagship daily breakfast TV programme on BBC One and the BBC News Channel. It is the UK’s most watched breakfast news programme. On 30 March 2021, the show had a live interview with Sir Lenny Henry to talk about COVID vaccinations.
Unfortunately, while advising people to get medical advice about vaccines, Lenny Henry said to viewers to visit "nhs·com"
, attempting to encourage people to get official advice from the UK’s National Health Service, rather than potentially unsafe sources. The official NHS website is "nhs·uk"
; the NHS does not own or use "nhs·com"
and it does not redirect to the official website.
In a segment of the interview, Henry says:
“…go to a medical professional, your GP, or to
nhs·com
and get the proper information so that you’re properly informed…”
There was no clarifying context from the BBC that this was not the correct website.
When visiting "nhs·com"
, you are presented with a website exploiting users and their trust in the NHS. On the homepage, the malicious website uses Google Ads to host links to competing and potentially unsafe health services. Their “Book an Appointment” link does not book an appointment with the NHS, for example. By using Google Ads, it means the malicious party and Google are both capturing revenue from this operation. The Google Ads programme is highly automated but their systems, people and policies should be able to detect and block harmful practices. Some phishing sites also host ads on their homepage to try to conceal more dangerous activities on other pages, so it does not preclude them from also hosting phishing and scam campaigns.
Misremembering a domain is an easy mistake to make. Domains ending in only "·uk"
are rare — the most notable domains are "gov·uk"
and "nhs·uk"
. Most organisations in the UK use "·co·uk"
or "·com"
domains. It is conceivable to say and use "·com"
because we are so used to them; they are the most common type and we might expect a large organisation to use it, or at least own it.
Domains are hard to remember. Domains are easy to get wrong. Domains and URLs are not fit for human consumption. A user should just be able to use “nhs” and know they’re on the official NHS website. Why can’t we just have names on the web? That’s what ARIs are designed to do.
The Lenny Henry clip featuring "nhs·com"
was repeated throughout the day in regular bulletins on the BBC News Channel, missing broadcast playout checks numerous times, and advice was lacking from the BBC to viewers that this website was unsafe.
The "nhs·com"
website is still malicious in December 2022, 21 months after being mentioned in the BBC broadcast.