14 DAY TRIAL // Christopher Boyd of Malwarebytes Labs recently reported that a new e-mail scam campaign is making rounds trying to steal both payment data and email logins by from UK residents via fake HMRC (HM Revenue & Customs) tax refund emails.
As Boyd says in its analysis of the phishing incident, although UK's season is not here yet, the scammers introduce a sense of urgency by asking the target to request the refund of £542.94 by visiting HMRC's gateway customer portal via a link which expires the next day.
Furthermore, eventhough the crooks say in their fake tax refund e-mail that the HMRC will never request their financial info or e-mail password via such messages, they redirect their targets to a phony Outlook login page to steal their e-mail credentials and to a fake HMRC Refund Status page to exfiltrate their payment details.
The unusual part is that the very basic HMRC refund page comes with built-in data sanity check so that the bad actors know their victims only provide them with accurate information.
E-mail scam (somewhat) falls on its face by first asking for e-mail credentials
Also, despite the perpetrators seeming quite picky when asking for Visa or Mastercard-only at the top of the phishing page, they went one step forward and added an extra filter by programming the fake refund status page to check the validity of the credit card data the scam target enters, stopping the progress if it finds any errors in the input payment data.
Even if the false refund page might look like an official HMRC web page, this e-mail scam campaign is very simple to detect by its targets when they're redirected to the fake Outlook login page.
We could say that the crooks' greed could drastically lower their scam's success rate, however for that to happen UK residents have to be vigilant not to fall for this type of low effort scams.
The easiest way to do that is to always check the domain and security certificate of any so-called "official" HMRC pages, as well as to stay informed on how the agency will contact them when a tax refund is available.
For the purpose detailed above, the Revenue & Customs agency has published a detailed list of all types of HMRC contacts you should expect when receiving official requests, letters, refunds or surveys.
