Site icon Sophos News

SMS tax scam unmasked: Bogus but believable – don’t fall for it!

Every month of the year has some sort of tax relevance somewhere in the world, and tax scamming cybercrooks take advantage of the many different regional tax filing seasons to customise their criminality to where you live.

In the UK, the 2019/2020 tax year ended on 05 April 2020, and the deadline for filing your taxes electronically was 31 January 2021.

With a January filing deadline, it’s not surprising for UK tax refund scams to kick in about now.

After all, everyone loves a refund, although they’re usually very modest in the UK if you get one at all, because your employer (if you have one) is supposed to get the tax calculations that they do on your behalf pretty close to the target.

So we weren’t surprised, although we were disappointed, to receive our first SMS-based tax scam of the season last night, helpfully submitted by a Naked Security reader:

SMS message allegedly from HMRC, the official name of the UK tax office.
Delivered via a UK mobile number.
[HMRC] A tax rebate of 
£278.44  has been issued to 
you for an over-payment in year 
2019/2020. Please click the link 
to proceed: https://www.hmrev.customs.[REDACTED].com

(HMRC is short for Her Majesty’s Revenue and Customs, and using that abbreviation in the UK is as usual and as expected as saying IRS in the United States.)

As regular Naked Security readers will know, there’s still a significant sector of the cyberunderworld that goes in for smishing, as SMS-based phishing attacks are colloquially known, for three simple reasons:

Annoyingly believable

In this scam, we have to admit that the crooks pulled off a surprisingly believable sequence of web pages – not perfect, but visually believable nevertheless.

Their pages look similar to the pages you’d see on a genuine UK government site; they’ve included niceties such as a coronavirus warning in order to add a touch of timely realism; they’ve mostly used the right sort of terminology, such as remembering to ask for your National Insurance number instead of your SSN; and they’ve remembered not to put a -Z- in the word organisation.

Fortunately, however, they were stuck with a bogus website name, because although it’s easy to register .COM and .CO.UK domains in the UK, the .GOV.UK domain has a strict registration process that a cybercrook would find hard to bypass.

Also, as you will see if you take the time to check really carefully (try “reading” the text on the page backwards using your finger – an old trick for proofreading your own documents), the crooks have made various mistakes, such as spelling errors, that you would not expect on a website such as HMRC’s:

At first glance, the scam start page is a visually realistic clone of the real thing.
But look carefully: there are typos and errors here.

In this scam, the crooks also decided to take you straight to a bogus tax-related page.

However, the UK government gateway would make you login first, including using two-factor authentication, which would give you a different user experience:

Left. The scam landing page bypasses the regular government login page.
Right.Access to the UK tax site requires login first (2FA is compulsory).

You might think that 2FA is a hassle you could do without, but you can actually turn the “hiccup” that it puts in your way to your advantage.

Whenever your workflow is interrupted by a 2FA request, for example to retrieve a text message code or open up an authenticator app, use it as a reminder to implement the “Stop. Think. Connect” principle, and take some extra time to look again at all the security indicators you can find before you put in the 2FA code.

Check the address bar; go back and review which links you clicked to get there; take another look for giveaway mistakes in the messages and web pages you’ve seen so far. (Did you spot the weird word youu in the fake page above? If not, go back and look again now – it’s in the selection box labelled Individual.)

The phishing starts

The first phishing page asks for quite a lot of personal data:

The first phishing page of the scam.
Field names follows typical UK terminology, but HMRC doesn’t use “mother’s maiden” name as ID.

Then the crooks go after your bank account and credit card details.

If you didn’t realise before, you should figure that this is a scam at this point, because there’s simply no reason for anyone to ask for your credit card data in order to make a refund to your bank account.

In particular, the CVV code (usually three digits on the back of your card) is used for verifying online payments, and in this case you aren’t paying for anything:

The tax office does allow you to use a bank account for a refund.
But putting in credit card data (including CVV “secret code) is what you do for payments, not for refunds.

Next comes a rather neat “decoy page” – a sort of polite placeholder page that brings this fraudulent process to a believable finish, along with a believable reason to discourage you from checking up right away with the real HMRC website:

Decoy page to make you think the process completed innocently.
But look carefully: there are typos and errors here.

After a few seconds, the final fake page above (did you spot the typo asking you to bare with us?) redirects you to the official UK government gateway home page, and wipes out your browsing history so far.

This leaves you on a genuine page with no easy way to go back and double-check what just happened on the fake pages:

At the end,you get redirected to the real UK government portal
in order to round off the scam neatly.

What to do?

LEARN MORE ABOUT SMS SCAMS AND HOW TO STAY SAFE

(Watch directly on YouTube if the video won’t play here.)


Exit mobile version