A highly advanced scam that involves perpetrators impersonating HMRC and using tax rebates as a vehicle has been launched on UK residents via text.

This type of phishing attack launched via short message service (SMS), also known as “smishing”, has seen action multiple times this year with malicious actors pretending to be government entities. However, this latest campaign is highly detailed and crafted to appear authentic to the untrained eye. The phishing web pages created expertly mimic the HMRC’s dedicated web interface and even have built-in workflows for online banking designed for a variety of different banking providers.

Relentless, the scheme is currently using several different HMRC-related phishing tactics and domains, with additional domains on the list updating regularly with new ones, as their predecessors are reported and blocked by spam filters.

The smishing snare

The SMS scam begins with individuals receiving a text message that informs them they are currently eligible for a rebate because they have been paying emergency tax in 2020. However, other messages have also been reported, stating that although the recipient is owed a refund, if they fail to submit a return, they may incur a fine. Such threats are common in phishing scams that attempt to create fear and panic that clouds the judgement of victims, inciting them to act rashly. The malicious messages also include a link for recipients to follow that leads them to a site resembling a government website.

Stealing personal information

The faked webpage at which recipients arrive is not just a basic phishing form one-pager, but an incredibly complex creation consisting of multiple pages and steps to fool its targets. It begins simply as a claim form for a tax refund and requests the victim’s name and their postcode. After successfully inputting their details, the victim will then be shown a refund value (around £200 to £400), they are eligible to receive. A start button is also presented and, if activated, the following pages will load consecutively, designed to collect an extensive amount of personal information from the victim.

Analysis has shown the campaign acquires full names, dates of birth, home and email addresses, phone numbers, credit card details, passport numbers, driver’s licence numbers and National Insurance numbers.

Cybercriminals create schemes to steal personally identifiable information (PII) for a wide range of reasons. While in some cases it is simply to further financial crime, in many others the personal information is used as part of a wider campaign. PII allows hackers to spoof emails, impersonate contacts and penetrate enterprises, taking control of company networks.

To help fool victims further, the malicious web pages also have in-built validations that throw up errors if users make a mistake, adding to their authentic appearance. After completion, the form begins “processing”, and the victim is redirected to a phishing site that appears to be their online banking login page. Here, additional PII is stolen including bank account numbers and sort codes, online banking passwords, security question answers and two-factor banking codes.