14 DAY TRIAL // Phishers have launched an e-mail campaign that attempts to trick UK taxpayers into handing out their financial and personal details. The emails are spoofed to appear as being sent by the HM Revenue & Customs (HMRC) and display legit contact details to increase their credibility.
"After the annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 283.23 GBP. […] please fill the payment form attached in the email," one of the phishing e-mails reads. It is noteworthy that the message is properly spelled and formulated in credible formal language.
To increase their chances of success, the phishers included security advice and warnings in the e-mails, which benefits their scam. For example they suggest users to close the browser after finishing the session or mention that deliberate inaccurate inputs are criminally pursued. Rik Ferguson, solutions architect at Trend Micro, notes that the emails come "complete with the correct address of the Tax Credit Office in Preston, UK and a working telephone number for the tax credit helpline."
The trickery goes even further with the attached document, which is called payment_form.pdf.html, suggesting that it is a PDF file, while in fact it is an HTML page. Opening it will display a form, which asks for information that can easily be used for fraud. This includes details such as mother's maiden name, marital status, phone number, address, date of birth, as well as the credit card number, expiration date and CVV2 code.
According to Mr. Ferguson, the analysis revealed that "The web form is based on an American template, which can be seen from the telephone number format, indeed a quick squint at the html code reveals that it is using style sheets imported from www.irs.gov." However, the researcher points out that "the original email was created using Windows charset 1251, which is the character encoding designed to cover the Cyrillic alphabet," suggesting that its authors are Eastern European.
Such tax refund phishing attacks have become a common occurrence in recent years, which means that they have significant success rates. Tax offices in various countries were targeted in the past. Just recently we reported about a similar campaign masquerading as e-mails from the Australian Tax Office. Canada's Revenue Agency was also targeted back in January.
