HMRC phishing attacks offer cash rebate as lure

The phishing emails were not exhorting citizens to file their electronic tax returns however, but offered them a cash rebate, right into their bank accounts. In a public security warning, HMRC has warned taxpayers that it does not use email to advise taxpayers they are due a refund, much less pointing them at an online site to generate the refund data required.

Mickey Boodaei, CEO of Trusteer, an IT security company that has several major banks as its customers, said that these types of phishing emails are around twice as effective for fraudsters as `regular' bank phishing messages.

The carrot of free cash also persuades many internet users to lower their normal guard and, when they see a choice of bank sites from the `HMRC landing page', they click through to enter their bank and other personal details, he said.

The result of this is not, he added, a credit to the recipient's bank account, but usually a fraudulent debit – or series of debits – that empty the account by cybercriminals.

According to Boodaei, when people receive what appears to be a free cash giveaway – or deal that looks very tempting – the first thing they should do is fire up a search engine and look for reports of a possible scam on the Net.

For example, he says, entering the words `HMRC tax refund email' into Google returns a series of links, the first one of which says: HM Revenue & Customs would not inform customers of a tax rebate via email, or invite them to complete an online form to receive a rebate of tax...'

Boodaei said that the rate of HMRC phishing attacks has been pretty constant throughout the year. About one in three financial phishing attacks in the UK is targeting HMRC.

The victim lands at a web page that is similar to the HMRC website, where they are requested to click on their bank's logo – most attacks will show logos for 5 to 10 UK banks. When the victim clicks on one of the logos they arrive at a fraudulent website that looks like the bank where they are requested to log on.

"It's at this point their login information is being stolen", Boodaei said.

Cybercriminals, he said, are using automated tools to generate these phishing attacks and therefore they can generate a high volume of attacks in a very short space of time.

Trusteer recommends that users type in the name of the institution whose website they are trying to access. In addition, before submitting login information check that the website uses a secure protocol such as https and/or a padlock – or similar icon – appears in the web browser to confirm a secure connections.

"The major banks are using EV-certificates, which means the address bar should turn green and the name of the institution will appear on the bar. Banks employ highly professional security experts and are closely monitoring the problem. Their advice is the most likely to keep you away from fraud", he said.

"Our Rapport system – now in use by RBS, Natwest, Santander, HSBC and others – constantly monitors HMRC phishing attacks against online bankers. In addition to blocking these attacks and reporting them to subscribing banks, the system is also capable of monitoring attack trends and informing banks of the main threats their customers are facing over time", he added.

"This valuable information allows banks to mitigate these threats in various ways, reducing the level of threat and potential losses."

Nick Staib, director of the Get Safe Online program, also advised caution when dealing with these types of phishing emails.

“In much the same way that banks would never discuss sensitive financial matters by email, so HMRC would not discuss financial matters such as tax refunds by email", he said.

"In any event this kind of message also falls into the`too good to be true' category used by online fraudsters”, he added.

What’s hot on Infosecurity Magazine?