Tax Phishes Spawn on Both Sides of Atlantic

Tax season in both the US and the UK is upon us. and it looks like cybercriminals are once more trolling for unwitting victims with thematic phishing emails
Tax season in both the US and the UK is upon us. and it looks like cybercriminals are once more trolling for unwitting victims with thematic phishing emails

In the UK, the 6th of April is a significant date as it marks another cycle of the British Personal Tax year. “Phishers know about this, too, and didn’t waste time in spamming fake emails purporting to be from [Her Majesty’s Revenue and Customs] (HMRC) to recipients who may or may not fall for their trick,” Malwarebytes explained in a blog.

The campaign that Malwarebytes found in the wild is fairly straightforward: It sends a notice of a “refund” to the target, which contains an HTML file as an attachment. One the person clicks on it, they’re taken to a faux log-in page that asks for the pertinents: name, date of birth, address, postcode, account number, card number, expiration date and security code. Also, the phishers are asking for a Verified by Visa password and an estimated tally of the balance on the card.

“Both of these will come in very handy when asked for additional identification depending on what they’re trying to get up to,” Malwarebytes said.

The credit card information should be a dead giveaway to consumers but the mail itself uses stilted language and poor capitalization and grammar in places, marking it as hardly an official communique from the government:

The contents of this email and any attachments are confidential and as applicable, copyright in these is reserved to HM Revenue & Customs. Unless expressly authorised by us, any further dissemination or distribution of this email or its attachments is prohibited.

We announce you: After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 438.65 GBP.

You have attached the tax refund form with the TAX REFUND NUMBER ID: 381721763, complete the tax refund form attached to this message.

To access your tax refund, please follow the steps bellow:

- download the Tax Refund Form attached to this email
- open it in a browser (recommended mozilla firefox or google chrome)
- follow the instructions on your screen

After completing the form, please submit the form by clicking the SUBMIT button on form and allow us 5-9 business days in order to process it.

The letter is signed as being from one Kathy Donnelly, purportedly from the HMRC Tax Credit Office in Preston.

“A quick Google search on the supposed tax refund ID of ‘Miss Donnelly’ shows that this particular email has been appearing occasionally on inboxes since 2012,” Malwarebytes said.

In the US, the deadline for filing taxes to the Internal Revenue Service (IRS) is April 15. That country is seeing its own share of phishing scams, including a new one that uses emails that appear to be from the IRS Taxpayer Advocate Service and include a bogus case number.

“Your reported 2013 income is flagged for review due to a document processing error. Your case has been forwarded to the Taxpayer Advocate Service for resolution assistance. To avoid delays processing your 2013 filing contact the Taxpayer Advocate Service for resolution assistance.”

The recipient is directed to click on links that supposedly provide information about the "advocate" assigned to their case or that let them "review reported income." The links lead to web pages that solicit personal information.

“The Taxpayer Advocate Service is a legitimate IRS organization that helps taxpayers resolve federal tax issues that have not been resolved through the normal IRS channels,” the IRS warned. “The IRS, including TAS, does not initiate contact with taxpayers by email, texting or any social media.”

Tax refunds are a common subject for fakes and phishes, and because of this, consumers may be generally more savvy about falling for them. “A tax phish may be a good hook, but it could also work against the scammers because potential victims may already be on the lookout for them,” Malwarebytes noted.

What’s hot on Infosecurity Magazine?