As the United States stands at the cusp of tax season, Americans should brace themselves for even more malicious yet highly believable tax scams making the rounds now in the U.K. The U.K. files their taxes on January 31st, so most residents have already filed but many are getting these scams delivered as SMS.
What is Happening?
U.K. residents are receiving text messages that say they come from Her Majesty’s Revenue and Customs (HMRC), the U.K.’s version of an Internal Revenue Service (IRS).
Using a technique called “smishing,” scammers are sending messages claiming that the recipient has received a “tax rebate of $xxx.xx for an overpayment in year 2019/2020 and to click here to proceed.” The link looks very convincing and even references the HMRC.
Sophos security research firm claims that the website the link takes visitors to is “annoyingly believable” with details like a coronavirus message at the top, authentic terminology, and they even spelled “organisation” with an “s” instead of a “z.”
Although when you look closer, you see the text on the page devolves into spelling errors, misconfigured sentences, and is clearly not a government resource. Not to mention that the .com URL gives it away as fake. All government URLs in the U.K. end with .GOV.UK.
Another glaring difference is that the real HMRC tax website forces users to log in first, and the fake one does not. Additionally, the HMRC website uses two-factor authentication to ensure that only the real user logs in using those credentials.
The Finer Details of the Scam
Upon landing on the fraudulent tax page, users are first asked to select whether they are individuals or entities. They are then asked for a lot of personal information such as name, date of birth, home address, phone number, mother’s maiden name, and national insurance number (which is like our SSN). That page alone exposes the site as a scam because no legitimate tax entity is going to ask for all that information to discuss a tax overpayment with you.
If a user were to enter all that data and continue, the next section then asks for credit card details, including the CVV code on the back of the card. Oddly enough, you aren’t paying for a product or service, so most users should question why they are being asked for this information. The page uses a vaguely worded threat about “tax penalties,” warning the user to enter the data correctly. If the user has gotten that far, the final nail in the identity theft coffin is the page that asks for your banking details (bank account number and sort code). That amount of information would be pretty much a treasure trove to any identity thief or hacker.
Finally, after collecting all the personality identifiable information (PII), the website shows a confirmation page warning that it may take up to 10-14 days while they “verify the information” before receiving your refund. As a final coup de grace, the page wipes out your browser cookies and redirects you to the legitimate government website making it impossible to trace.
How Taxpayers Can Stay Safe This Year
Before this tool is rebranded and used here in the U.S., taxpayers can arm themselves with the knowledge of how to stay safe and avoid these types of scams.
- The IRS will never text or email you.
- Do not click any links in emails or SMS messages from anyone you do not know, even if it “appears” legitimate.
- Never give out personal information (especially as much as this website asked for) online or to someone you don’t know.
- Be diligent in checking URLs before visiting websites. Watch for .gov in URLS for any federal or state-level websites.
Use common sense, and if anyone promises you money that you didn’t expect or if something sounds too good to be true, it probably is a scam.