Think you have heard from HM Revenue & Customs with an email, call, or text message notifying you that you might be eligible for government payments/rebate due to the Covid-19 pandemic?
With 2.4m self-employed individuals and freelancers taking advantage of the HMRC programme to provide subsidies and the huge disruptions in the UK economy as a result of the pandemic, fraudsters are seeing a higher success rate in scam campaigns because people are looking for as much help as possible.
They know that well-crafted (but fraudulent) messages that seem real can get people to fall for their schemes. People, to use a quote from the X-Files TV series, “want to believe”.
- Scammers are taking advantage of people’s current vulnerabilities
- Many of them use SMS message
- It is better to take a few precautions than clean up afterwards
The latest scam campaign focuses on self-employed professionals who may be receiving assistance through the government’s Self-Employment Income Support Scheme, leveraging SMS messages to warn of potential eligibility for a tax refund.
Upon clicking on the link, professionals land on a very realistic page built on HMRC branding that asks for personal details and government gateway log-in credentials to calculate their supposed refund.
After calculating the fake refund amount, it asks for banking details in order to deposit the funds, but it also asks for passport numbers for “verification” purposes.
Banking data is no longer as valuable as it once was on the dark web, but the theft of highly sensitive passport number data can lead to big profits for the criminals as dark web marketplaces prize sensitive data like passport details for their potential in identity theft schemes.
Bypassing email defences with smishing
With email firewalls and fraud detection systems getting more sophisticated, fraudsters are increasingly leveraging SMS phishing (‘smishing’) in scams.
A recent Verizon report found that 85 per cent of attacks on mobile devices now take place via media other than email, as professionals are less accustomed to the telltale signs of a scam in their text messages compared to email.
Attackers know that users on mobile devices are more likely to click on a text message link. They are also taking advantage of smaller mobile browsers to create fake mobile websites that look exactly like real government sites in design, colours, typeface and layout.
Of course, the real HMRC has been very clear: they will never send you a message that solicits highly confidential information.
But in the face of growing economic distress, and knowing that there are real government programmes to help individuals in need, can we not predict that a certain percentage of the population is likely to respond and provide the information asked for by the criminals?
Sadly, the criminals know that the answer to this is yes.
This is nothing new. On the night of April 15 2019, the Notre-Dame cathedral was largely destroyed in a terrible fire. Within hours, online criminals had websites up and running to fraudulently collect funds (or credit card numbers) purportedly to help with rebuilding.