Personal details that include card details, email login credentials and other information, such as a mother’s maiden, name are all at risk of exposure through the scam that masquerades as official correspondence from the tax service.
Phishing for Details
The email, which claims the UKGov has issued a tax refund of more than £500, has been sent to a number of victims and directs people toward a fraudulent “gateway portal”.
In this particular scam, time is of the essence, however. The fraudsters have deliberately included a deadline on when someone can claim this refund, which MalwareBytes said is unusual.
Christopher Boyd, lead malware intelligence analyst at the cybersecurity firm, wrote in a blog post: “Typically, we tend to see time limits of a few days on fake emails such as this one, so they’re really relying on pressure to get the job done here. We suspect anyone else receiving one of these will find themselves faced with a similarly pressing deadline.”
Down the Cybersecurity Rabbit Hole
Recipients who take this email at face value will then find themselves at a login screen, wherein they are required to enter their login details via the “gateway portal”. Boyd said that, unlike many “boilerplate tax phishes“, people are not sent directly to a fake HMRC page to enter card details.
Instead, the first point of entry is on an “imitation Outlook login”, where a potential victim is asked for their email address and password.
From here a victim is then forwarded to a form where they are required to enter additional personal information. Details requested here include name, address, phone number, DoB and mother’s maiden name. This information, the firm said, appears to be checked against a database of some sort in order for the scammers to establish if the entered details are legitimate.
“The site performs a basic validation check on some of the information entered,” he said. “The reason for this is so the scammers can be reasonably confident that the person on the other side of the screen entered accurate information.”
If a victim does not pass this validation process, they are unable to enter their card details. However, if the personal details are shown to be correct – or at least believable – they are then prompted to enter the details of the card which they wish funds to be sent to – this includes expiry date, CVV number, sort code and the bank account number.
Boyd highlighted the unusual timing of this particular scam. For UK citizens, these scams increase during the April tax season. However, it could be to the scammer’s advantage to circulate emails such as these when people have their guard down.
“While these scams tend to experience a boom period during tax season,” Boyd commented. “There’s nothing preventing scammers from firing these out at other times of the year.”
He added: “It might be more of a benefit for them to do so. Recipients may be more likely to have their guard down due to the lack of “fake tax refund” articles making the rounds. Out of sight, out of mind and all that.”
Staying Safe Online
While many will view emails such as these and scoff, the reality is that some will fall victim to online scams. Professor Bill Buchanan, head of Napier University’s Cyber Academy, told Digit that phishing emails are now one of the main ways for cybercriminals to steal your information.
“A targeted phishing email one is now the one that many users fall for,” he said. “As it often targets something that triggers an emotion. This includes messages related to failed payments for Netflix, for example.”
Buchanan noted recent concerning examples in which fraudsters can dupe people into a response; which could have disastrous consequences.
“A recent phishing campaign against university students displayed a message of “You have an admirer who wants a date”, and where it looked as if it was sent from someone that the user may know.” he said.
To stay safe online, Buchanan said, one should always view dubious emails with suspicion. If in doubt, throw it out.
He commented: “Don’t trust emails, don’t click on those suspicious email links, don’t open suspicious email attachments and watch your login screens.
“If you think you have been tricked change your password so that an intruder cannot, even if they have it. This limits the scope of a potential attack on the system.”