By Troy Gill, manager of security research at AppRiver
Self-employment in the UK is currently at its highest level since records began according the Office of National Statistics, with 4.6 million people working for themselves. Many are preparing to make a tax payment on account ahead of the 31 July deadline. And that means phishers are casting their lines in the hope to catch one or two.
The days before the deadline phishers will often try to spoof users into believing a reminder email to make a payment is legitimate. However, its after the deadline has passed that tends to see a flurry of activity as scammers send messages suggesting payments have failed, or that there has been a problem and additional information is needed for clarification. Another regular scam seen circulating is the claim that an overpayment has been made and therefore a refund is due, with the recipient encouraged to input their bank details for the money to be returned.
One example of a fraudulent e-mail. It contains a link which takes users to a deceptive web page that looks like it’s part of HMRC. (click to enlarge image)
Over the years we have seen hundreds of these tax-themed email campaigns, attempting to dupe users. The majority of messages contain malware as an attachment or use a URL that leads to a malicious payload.
So, what can you do to stay safe this tax season?
- Keep your Browser and Operating System up to date. Both receive frequent updates, many of which include fixes for vulnerabilities that could be used in an attack against an innocent taxpayer.
- Online fraudsters (a.k.a. “phishers”) will attempt to contact taxpayers via email. While it would be nice to say that HMRC will never send you an email, that isn’t always the case. Instead, to help identify what’s real and what isn’t, HMRC publishes a list of contact letters and emails to check against. The most recent can be viewed here: https://www.gov.uk/government/publications/genuine-hmrc-contact-and-recognising-phishing-emails/genuine-hmrc-contact-and-recognising-phishing-emails.
- Never click on a link, or an attachment, from an unsolicited email.
- HMRC will never ask for PIN numbers or credit card information in an email.
- Never conduct unsecured transactions that include any account or password information over public wifi hotspots – including airports, hotels, libraries, restaurants, cafes, or other locations, particularly those offering WiFi free of charge.
- Always and completely log out of sensitive sites. It is possible for an attacker to hijack a session that has been left open.
- Try not to use the same computer that the children do for any sensitive transactions – such as online banking, filing tax returns, etc. A good portion of online scams and spam target today’s younger generation of Internet users.
- Remain vigilant and try to use simple logic – if it seems too good to be true, and it is sitting in your inbox, delete it. Especially if it is from someone you did not initiate contact with.
- Before entering sensitive information into a website, look for the security padlock symbol in the address bar.
- Create strong and unique passwords for sensitive sites; choose passwords that are complex and utilize a combination of upper and lower case letters, numbers and symbols.
- Limit Your Exposure Through E-mail and Web. It is perhaps online behaviour that bears the most scrutiny. Mitigating the risk through the use of a reliable e-mail and Web filtering solutions are essential.
As HMRC increasingly encourages users to file their taxes electronically, and make payments via the online portal, scammers will try to capitalise on unsuspecting individuals. While paying taxes isn’t always popular, it is one of life’s certainties – that and dying. However, being swindled by fraudsters doesn’t have to be.