The hidden technology behind tax phishing The hidden technology behind tax phishing
Tax phishing scams are incredibly common in the UK, so much so that HMRC publishes a guide of the most common types. While they appear most often around key tax deadlines (e.g., January self-assessment, corporate filing in March) they can happen year-round.
About the author
Richard Meeus is Director of Security Technology and Strategy at Akamai.
Phishing attacks can be highly rewarding to criminals – not just financially, but also when it comes to the compromise of sensitive data, resulting in fraud or identity theft – and anyone could be a victim: from an IT freelancer to an SMB with millions of pounds of revenue.
Phishing is often seen as a ‘social engineering’ type of cyberattack, one which relies on tricking the end-user into giving up sensitive information by appearing to be from a trusted source. Cyber attackers will also often employ technical ‘toolkits’ to help them pull off their scams. Attackers don’t need to be expert hackers to successfully pull off a phishing attack because there is a huge criminal ecosystem of ready-to-use toolkits available to buy on the dark web. Tracking the evolving use of these toolkits can tell us much about underlying cybersecurity trends.
In order to better understand the nature of these recurring scams, we tracked five of the most significant phishing toolkits being recycled and redeployed over the last two years. Here we share our key lessons from the data to help better protect, inform, and empower consumers.
Scammers cash in on uncertainty and fear
Over the last 18 months, we have seen a surge of tax-based phishing scams that have been customized to reference Covid-19, with messaging related to the pandemic included in almost every single one. This is not a new phenomenon, as campaigns are designed to appeal to consumers’ priorities and concerns, but this social engineering technique has been particularly prolific through 2020/21.
Many scams mention government aid programs and changes to filing schedules, imitating legitimate websites. For example, two well-known scams have imitated the HMRC, purportedly offering Covid-19 relief schemes, including “lockdown support plan” and “Covid-19 refund”.
According to our research, there was an increase in the volume of scams just after the pandemic began in April 2020. By tapping into existing fears and concerns around financial insecurity, the scammers are increasing the volume of this type of campaign to take advantage.
Tax scams are constantly appearing
We tracked three UK scams which, in total, created over 1000 phishing domains, with one particular scam utilizing 650 domains.
We found toolkits all appearing at different times utilizing hundreds of domains and impacting multiple organisations. While some were present throughout our tracking – likely to go back to before 2019 – one scam was first identified in July 2020.
When it comes to evolving existing scams, we have found that criminals will often take a particular attack vector and tweak and fine tune it over time – sometimes these changes are made to the technical apparatus and at others it is to the wording.
Phishing criminals leverage the news agenda, exploiting and inciting fear and making use of hard deadlines to maximize the effectiveness of phishing attacks and create a sense of urgency.
For example in December 2020, the day after Boris Johnson announced the vaccine rollout scheme, phishing emails were already being distributed offering the vaccine. This attack was ready to go and deployed as soon as the news agenda could make it viable.
Once a phishing kit has deprecated it is dialed back or removed, making way for new and improved toolkits that have learned from the successes and failures of their predecessors. In this way, tax scammers’ toolkits follow a similar life-cycle to a normal product, meaning that no two years of scam-tracking are the same.
Preparing for the next phase
As we have seen, tax scams are, by their very nature, insidious, manipulative and incredibly damaging. They tap into our fears and priorities in order to exploit, steal from, and imitate their victims.
Criminals will continue to hit us when we are most vulnerable and will do all they can to get us to engage with their scams by leveraging social engineering and harnessing the sentiments associated with global events like Covid-19.
One key area where we expect to see a rise in attacks is via mobile devices. Victims are particularly vulnerable here and criminals will increasingly target this medium. This is likely to be both by explicitly executing targeted mobile user campaigns or, more implicitly, by the way we increasingly consume and use Internet services on our smartphones.
The displacement of many workforces is also making mobile device attacks more appealing as more work-related applications and services are accessible from these devices. This creates a sustained attack surface that criminals will certainly take advantage of, and will continue to be a challenge as we navigate new hybrid ways of working.
Tax phishing scams are incredibly common in the UK, so much so that HMRC publishes a guide of the most common types. While they appear most often around key tax deadlines (e.g., January self-assessment, corporate filing in March) they can happen year-round. About the author Richard Meeus is Director of…
