‘Annoyingly Believable’ Tax Scam Targets Mobile Users

tax refund 2021

A well-crafted SMS phishing effort is harvesting personal data and credit-card details under the guise of offering tax refunds.

A text message-based tax scam is making the rounds in the U.K., in a probable harbinger of things to come as the U.S. tax season gets underway in earnest.

SMS messages are going out to unsuspecting U.K. citizens claiming to be from Her Majesty’s Revenue and Customs (HMRC), the country’s IRS-equivalent. Spotted by researchers at Sophos, the messages tell targets that they’ve received a refund for “overpayment in year 2019/2020” and are asked to click a link to “proceed.”

The link, https://www.hmrev.customs.[REDACTED].com, seems somewhat believable, noted Paul Ducklin, researcher at Sophos, as does the rest of the campaign – it’s “annoyingly believable” he noted in a blog on the campaign, posted Friday.

“In this scam, we have to admit that the crooks pulled off a surprisingly believable sequence of web pages – not perfect, but visually believable nevertheless,” he said. “Their pages look similar to the pages you’d see on a genuine U.K. government site; they’ve included niceties such as a coronavirus warning in order to add a touch of timely realism; they’ve mostly used the right sort of terminology, such as remembering to ask for your National Insurance number instead of your SSN; and they’ve remembered not to put a ‘Z’ in the word ‘organization.'”

A Believable Mobile Tax Scam

The scam begins when a target clicks through to a mobile web page, which is a set of well-designed phishing pages designed to harvest personal data. They ask for various data points, including “mother’s maiden name,” which is of course a common security-gate question for financial applications.

Ducklin noted that the last page also asks for bank-account details and finally a credit-card number, expiration and CVV – perhaps the first red flag in the attack flow.

tax scam sms phishing

Click to enlarge. Source: Sophos

“If you didn’t realize before, you should figure that this is a scam at this point, because there’s simply no reason for anyone to ask for your credit-card data in order to make a refund to your bank account,” Ducklin pointed out. “In particular, the CVV code (usually three digits on the back of your card) is used for verifying online payments, and in this case, you aren’t paying for anything.”

If the credit-card ask isn’t a put-off, the victim will click “submit” and the data will be whisked off to the attackers’ databases. After that, the user is shown a decoy page, which is “a believable reason to discourage you from checking up right away with the real HMRC website,” Ducklin said.

After a few seconds, this phony page redirects to the official U.K. government tax gateway home page, and the victim’s browsing history is deleted, so there’s no easy way to look back and see what happened.

The attack is surprisingly well-crafted, according to the researcher, and people in other parts of the world should be prepared for this type of increasing savviness. The U.S. tax season of course is just beginning to crank up — a popular time for fraudsters.

“Every month of the year has some sort of tax relevance somewhere in the world, and tax scamming cybercrooks take advantage of the many different regional tax filing seasons to customize their criminality to where you live,” Ducklin noted.

How to Tell if It’s a Mobile Scam

The crooks may have done a fairly good job of crafting verisimilitude into the attack flow, but a few mistakes were made.

For one, the initial phishing pages weren’t hosted on an official .gov.uk page, as any legitimate governmental process would be.

“Although it’s easy to register .com and .co.uk domains in the U.K., the .gov.uk domain has a strict registration process that a cybercrook would find hard to bypass,” Ducklin explained.

Also, a close look at the copy reveals spelling errors and typos that one would not expect on an official website, such as “you” being spelled as “youu.”

On a page asking users to identify one’s profile, there’s an “other” option explained as, “Please select this option if none of the above mentioned category fits you.”

“Category” of course should have been plural.

Another example can be found on the decoy page, which asks readers to “please bare with us as we assess and release these funds to your account” – using the wrong homonym.

Also, the fraudsters take victims directly to the purported tax-related page. However, the U.K. government gateway would have required anyone to log in, and to use two-factor authentication.

“This scam was surprisingly believable, but the telltale signs were there nevertheless: A giveaway spelling blunder by the crooks on the starting page, an obviously incorrect URL in the address bar, and a request for personal information that was irrelevant to the claimed refund,” said Ducklin.

What is SMS Phishing?

SMS-based phishing, known as “smishing,” is when cybercriminals send phishing links within mobile text messages. These approaches are increasingly popular, thanks to the ways that crooks can get around target scrutiny.

“SMSes are limited to 160 characters, including any web links,” Ducklin noted. “So there’s much less room for crooks to make spelling and grammatical errors, and they don’t need to bother with all the formalized cultural pleasantries (such as ‘Dear Your Actual Name’) that you’d expect in an email.”

Also, the links sent in text messages are hard to vet in advance, and “once you’ve tapped on the link and the browser window has filled the screen, it’s harder to spot that you are on an imposter site,” he added.

How to Protect Against Mobile Phishing?

Ducklin offers a few best practices for avoiding becoming a smishing victim:

  • Whenever possible, check the address bar to vet the URLs
  • Carefully read for giveaway mistakes in messages and web pages
  • Implement 2FA
  • Use common sense and never provide credit-card details without there being a good reason for it
  • During tax season, people should bookmark the official website of their country’s tax office and only ever go there using their own links.

“If you only ever visit important websites using bookmarks of your own, you will always sidestep crooks who send you phishing links,” Ducklin said.

Is your small- to medium-sized business an easy mark for attackers? 

Threatpost WEBINAR: Save your spot for 15 Cybersecurity Gaffes SMBs Make,” a  FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.



Suggested articles