Menu Close

Phishing Tax Scam Targets UK Mobile Users – ‘Annoyingly Believable’!

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

A well-done SMS phishing attack is taking personal data & credit-card details under the disguise of offering tax refunds.

A text message-based tax scam is going around the UK, in a probable preview of the future, as the US tax season soon gets underway too.

SMS messages are going out to unsuspecting people claiming to be from Her Majesty’s Revenue & Customs (HMRC). Seen by researchers at Sophos, the messages inform people that they have received a refund for “overpayment in year 2019/2020” & are asked to click a link to “proceed.”


The link, https://www.hmrev.customs.[REDACTED].com, seems somewhat believable, noted Paul Ducklin, researcher at Sophos, as does the rest of the campaign – it’s “annoyingly believable” he noted in a blog on the campaign, posted Fri.

“In this scam, we have to admit that the crooks pulled off a surprisingly believable sequence of web pages – not perfect, but visually believable nevertheless,” he observed.

“Their pages look similar to the pages you’d see on a genuine UK govt site; they’ve included niceties such as a coronavirus warning in order to add a touch of timely realism; they’ve mostly used the right sort of terminology, such as remembering to ask for your National Insurance number instead of your SSN; & they’ve remembered not to put a ‘Z’ in the word ‘organisation.’”

Mobile Tax Scam

The scam begins when a target clicks through to a mobile web page, which is a set of well-designed phishing pages designed to harvest personal data. They ask for various data points, including “mother’s maiden name,” which is of course a common security-gate question for financial applications.

Ducklin noted that the final page also asks for bank-account details & then a credit-card number, expiration & CVV – perhaps the 1st red flag in the attack.

“If you didn’t realise before, you should figure that this is a scam at this point, because there’s simply no reason for anyone to ask for your credit-card data in order to make a refund to your bank account,” Ducklin pointed out.

CVV Code

“In particular, the CVV code (usually 3 digits on the back of your card) is used for verifying online payments, & in this case, you aren’t paying for anything.”

If the credit-card request is not a ‘put-off’, the victim will click “submit” & the data will be added to the attackers’ databases. Then, the user is shown a decoy page, which is “a believable reason to discourage you from checking up right away with the real HMRC website,” Ducklin commented.

After a few seconds, this phony page redirects to the official UK Govt. tax gateway home page, & the victim’s browsing history is deleted, so there is no easy way to look back & see what happened.

US Tax Season

The attack is well-produced, says the researcher, & people in other parts of the world should be prepared for this type of sophistication. The US tax season is just beginning to get going — a popular time for fraud.

“Every month of the year has some sort of tax relevance somewhere in the world, and tax scamming cybercrooks take advantage of the many different regional tax filing seasons to customise their criminality to where you live,” Ducklin noted.

Some Mistakes

The crooks may have done a fairly good job of putting credibility into the attack, but there were some mistakes made.

The 1st phishing pages were not hosted on an official page, as any legitimate UK govt. process would be.

“Although it’s easy to register .com & domains in the UK, the domain has a strict registration process that a cybercrook would find hard to bypass,” Ducklin explained.

Spelling Errors

Also, a close look at the copy shows spelling errors & typos that one would not expect on an official website, such as “you” are being spelled as “youu.”

On a page asking users to identify their profile, there is an “other” option explained as, “Please select this option if none of the above-mentioned category fits you.”

“Category”, of course, should have been plural.

Decoy Page

Another mistake can be found on the decoy page, which asks readers to “please bare with us as we assess & release these funds to your account” – using the wrong spelling.

Also, the fraudsters take victims directly to the purported tax-related page. However, the UK govt. gateway would have required anyone to log in, & to use 2-factor authentication.

“This scam was surprisingly believable, but the tell-tale signs were there nevertheless: A giveaway spelling blunder by the crooks on the starting page, an obviously incorrect URL in the address bar, & a request for personal information that was irrelevant to the claimed refund,” suggested Ducklin.

SMS Phishing

SMS-based phishing, known as “smishing,” is when cyber-criminals send phishing links within mobile text-messages. These approaches are increasingly popular, because of the ways that criminals can get past target scrutiny.

“SMSes are limited to 160 characters, including any web links,” Ducklin noted. “So, there’s much less room for crooks to make spelling & grammatical errors, & they don’t need to bother with all the formalised pleasantries (such as ‘Dear Your Actual Name’) that you’d expect in an email.”

Also, the links sent in text messages are hard to vet in advance, & “once you’ve tapped on the link & the browser window has filled the screen, it’s harder to spot that you are on an imposter site,” he added.

How to Protect

Ducklin offers a few best practices for avoiding becoming a ‘smishing’ victim:

  • Whenever possible, check the address bar to vet the URLs
  • Carefully read for giveaway mistakes in messages & web pages
  • Implement 2FA
  • Use common sense & never provide credit-card details without there being a good reason for it
  • During tax season, people should bookmark the official website of their country’s tax office & only ever go there using their own links.

“If you only ever visit important websites using bookmarks of your own, you will always sidestep crooks who send you phishing links,” Ducklin concluded.

Virtual Conference March 2021


More To Explore

Community Area


Home Workouts


spaghetti Bolognese