Cybercriminals are getting an early start by promising U.K. computer users a sizable tax refund in an attempt to steal their personal data.
Recipients of the email scam, which appeared to come from Her Majesty’s Revenue and Customs (HMRC) the U.K. government department responsible for collecting taxes, were told to visit a gateway portal to receive a tax refund of around 542 pounds, according to Malwarebytes Labs.
The cybercriminals instructed potential victims to act within the same day upon receiving the email. It directed the victims to a fake gateway portal which replicated the Microsoft Outlook login page. This provided the hackers with access to usernames and passwords. Once at the bogus HMRC site, victims were asked to fill out a comprehensive form that ended with fields to enter their credit card details. Much like legitimate government forms, researchers noted that the site validated what people entered to ensure they were inputting accurate information, including phone numbers and dates of birth.
Although tax refunds are of obvious interest to individuals, there are plenty of people who might be logged in to their personal email accounts at work, meaning phishing cases like these could potentially threaten an entire organization. The challenge is to understand what’s going on at the moment an attack occurs.
To ward off this type of attack, IBM experts recommend conducting regular internal phishing assessments and making use of open source intelligence. Companies should also make it easy for users to report phishing cases — and that doesn’t mean simply telling employees to contact IT. Instead, instructions should be as specific as possible within company policies.
Effective strategies include giving staff a hotline to call or chatbot to text and providing contact details for a specific employee who specializes in IT security issues. When the details are granular and there’s no fear of repercussions, employees are more likely to come forward when something happens and security teams can more quickly respond to threats.
Other types of HMRC scams –
Fraudsters also use spoofed calls and leave victims automated voicemails saying that they owe HMRC unpaid taxes.
In most cases they ask for payment in iTunes gift card voucher codes and tell victims they have arrest warrants, outstanding debts or unpaid taxes in their name.
How to protect yourself:
- Recognise the signs – genuine organisations like banks and HMRC will never contact you to ask for your PIN, password or bank details.
- Stay safe – don’t give out private information, reply to text messages, download attachments or click on links in emails you weren’t expecting.
- Every Report Matters – report phishing emails to us and forward them onto HMRC at firstname.lastname@example.org.