Criminals send out fake “census form” reminder – don’t fall for it!

Like many countries, the UK runs a census every ten years.

The census asks each household in the country to provide answers to a series of questions about the individuals living at that address, such as name, age, nationality, languages spoken, education, employment and health.

(More precisely, the census requires answers, rather than requesting them, because participation is mandatory.)

The census happens in any year ending in the digit -1, making 2021 a census year (except in Scotland, where it has been postponed until 2022 due to the coronavirus pandemic).

As you can imagine, most people are answering their 2021 census questions online, with the government sending random but unique 16-character access codes addressed to each known household by snail-mail.

You go to https://www.census.gov.uk/, put in the unique code, and complete the process online – no need to fill in a long paper form by hand and then snail-mail it back.

If you don’t complete the census form (the official closing date was Sunday 2021-03-21), you will receive a series of warning letters, each with a new 16-character code, urging you to get the job done, and reminding you that you could be fined £1000 if you don’t.

Beware fake forms

If you’re amongst those who haven’t finished off their census submissions yet, but who keep meaning to get around to it, make sure you don’t fall prey to fake “census reminder” notices sent out by cybercriminals!

And be careful even if you have finished off your form but think that there might be details you left out or completed incorrectly.

That’s because cybercrooks are taking advantage of the fact that the census is online by trying to phish you out of data that you wouldn’t hand over otherwise.

Here’s an example of a census scam sent in today by one of our readers – a totally bogus text message (SMS) “notification” about finalising your census submission:

As you can see, the server name here is obviously fake because it doesn’t end .gov.uk, which is a controlled domain available only to official national, regional and local government bodies in the UK. (The punctuation in this message is also messed up, but not all crooks are that careless.)

The server name here ends .com, which is a top-level domain where almost anyone can get almost any name they want.

For example, we just tried to buy madeup-domain-that-looks-governmental-2021.com, notquite­whatiseems.com and avoid1000poundfine.com, and were offered them for just £0.99 a year each.

So you ought to spot this as a scam right away, but if you do click through you will find a surprisingly believable mockup of the real UK Census 2021 website:

Instead of a 16-character code, the fake form asks for your postcode instead. (Note that the crooks could easily have sent you a made-up code and asked you to type it in, just for show, but in this case they didn’t.)

As you can imagine, the questions that the crooks ask you if you do put in a postcode look just like real census questions, on a site that looks much like the real deal.

The problem, of course, is that everything you reveal about yourself and your household goes directly to the crooks, not to the Office for National Statistics.

The criminals did make some grammatical mistakes in their forms that a native speaker of English might notice, and these would be another giveaway, along with the fake domain name, but the crooks have cloned the UK Office for National Statistics “look and feel” very believably.

Sadly, even if you answer a few questions before you realise it’s a scam and bail out, the crooks will still have all the answers you’ve entered up to that point, so it’s worth taking extra time to check your online surroundings before you put in any data at all.

What to do?

• Check the domain name on websites carefully. UK government sites should end gov.uk. It’s hard for crooks to get control of one of those – they can’t just be bought online like .com domains can. Also, watch out for domain names where the left hand end looks legitimate, but the right-hand end says that it belongs to someone else, as in a name like census.gov.uk.example.com. The person who owns example.com also owns and can use all domain names that end with that name, not just plain example.com itself.
• Don’t use links in text messages or emails. The Census 2021 website is well-known and easy to find through reliable sources, including printed on the Census snail-mail you ought to have received. If you find your own way to a websites where there is supposedly an “issue”, you won’t get suckered by fake links – whether that’s a “problem” with your bank, a “missed” home delivery or an online “order” you never actually placed.
• Be extra cautious of links in text messages (SMSes). Text messages are short, simple and often written in abbreviated English, so the crooks are much less likely to make spelling and grammatical errors that might otherwise tip you off.