with personal information and credentials the target

As the Self Assessment Tax Return deadline looms in the UK, PhishMe has warned of phishing messages, purporting to be from HM Revenue and Customs (HMRC) circulating. While the number of campaigns^* circulating in 2015 has decreased against previous years, the messages themselves still pose a threat due to their sophisticated and devious nature. It’s worth noting a recent deviation is, instead of spreading malware, the scammers are trying to directly spoof individuals into handing over their personal information.

The research team at PhishMe has seen a great number of these phishing emails in the last several years according to threat analysts Ronnie Tokazowski, Heather McCalley and Brendan Griffin.  Ronnie explains, “HMRC spoofed messages have been circulating for a number of years. With the deadline for self-assessment in the UK this weekend, the opportunity for scammers to spoof unsuspecting individuals under pressure to file their return before the cut-off point is a real possibility once again. In recent months we’ve seen two separate HMRC inspired campaigns circulating that were both used to deliver a malware known as Pony – a password stealer; and a key-logger – that records what a person types on the keyboard. In 2015 there was a definite spike in HMRC messages during the first four months of the year and, while data is still being collected for 2016, we envisage that spammers will be looking to capitalise on the UK’s tax season once again”

Once the deadline has passed, scammers often change tactics and will try to spoof users with messages of rebates. A theme PhishMe has already seen tried according to Heather: “Last February, scammers adapted their messages with the promise of a refund as a result of overpaid tax. However, instead of secreting malware, the messages were a credential phish seeking to collect personal information under the guise of HMRC contact. The recipient’s encouraged to complete the return to claim the rebate; however, having completed the file and ‘submitting’ the form, all the details are delivered to the cyber-criminals via the Internet – and not HMRC. From this point, instead of receiving money, it’s likely that the criminals will use the collected data to use the person’s identity for illicit gain.”

Heather continues, “Of course, it isn’t just tax season when HMRC scams circulate. A few months back, in November, we saw a campaign circulating where the criminals had spent time creating a spoof HMRC website that was quite intricate and looked legitimate to the untrained eye. The underlying code of the page caused the information entered to be delivered once again to fraudsters.”

Brendan concludes, “Phishers are continuously looking for ways to spread malware and collect personal information that they can monetise. In fact, while a Visa or MasterCard is worth $4 on the black market, a person’s date of birth can be traded for as much as $11. If a criminal has the complete package – so National Insurance number, date of birth and credit card details – as the scams above tried to collect, that can fetch $30.”

If you receive a message, and are unsure of its legitimacy, HMRC has advice for recognising phishing emails and a list of genuine HMRC digital and other contact it has issued here: https://www.gov.uk/government/publications/genuine-hmrc-contact-and-recognising-phishing-emails/genuine-hmrc-contact-and-recognising-phishing-emails

* A ‘campaign’ refers to each unique wave of an email and not the volume of messages circulating. In 2015, PhishMe Identified 22 ‘campaigns’ compared with 38 in 2014 – a 40% decrease. Despite these small numbers, the values are still statistically significant.