Cyber criminals try swiping email logins and bank data in single HRMC phishing scam
The hackers ask for every piece of your personal data including name, address, mother's maiden name bank and card details
MalwareBytes has uncovered an HMRC phishing scam that aims to swipe taxpayers' personal details (including mother's maiden name) and card details.
The hackers send an email to victims, claiming to be from HMRC regarding a tax refund. The email specifies how much is due as a refund (around the 500 mark) and says that the refund claim deadline falls on the date of the email - prompting anyone wanting to get their money back to click on it immediately.
The victim is then taken to a login screen where they are asked to enter their login details via "HMRC's gateway portal" - suspiciously looking like an Outlook email login page (giving the criminals their email address and password) and this is forwarded to a form where they're asked to enter personal information.
Details requested here are name, address, phone number, date of birth and mother's maiden name. This information is seemingly checked against some sort of database so the scammers can make sure the details look as though they're genuine. If they don't pass the validation, the victim is unable to enter their card details, which appears at the bottom of the form.
Once the personal details are shown to be at least believably correct, the victim is prompted to enter the details of the card they wish their refund to be sent to, including expiry date and CVV number. What should set alarm bells ringing if the huge amount of data already requested isn't enough to flag it as a scam, is that the criminals also ask for a sort code and bank account number too - pretty much exposing every piece of personal data they could possibly ask for.
"While these scams tend to experience a boom period during tax season (in this case, around April for the US and UK), there's nothing preventing scammers from firing these out at other times of the year," MalwareBytes' Chris Boyd, lead malware intelligence analyst at Malwarebytes said. "In fact, it might be more of a benefit for them to do so. Recipients may be more likely to have their guard down due to the lack of "fake tax refund" articles making the rounds. Out of sight, out of mind and all that."
BCDR buyer's guide for MSPs
How to choose a business continuity and disaster recovery solutionDownload now
The definitive guide to IT security
Protecting your MSP and your customersDownload now
Cost of a data breach report 2020
Find out what factors help mitigate breach costsDownload now
The complete guide to changing your phone system provider
Optimise your phone system for better business resultsDownload now