The deadline for filing self-assessment tax returns has not brought an end to phishing messages intended to trick web users.
Despite HMRC telling customers that it only informs them of tax refunds by post and that they should not respond to such phishing emails, reports were made of a highly lucrative criminal scam in the run up to Sunday's tax return deadline.
The latest scams take advantage of the number of people waiting to hear whether they are eligible for a tax refund. Phishing messages now tell people that they are due a rebate and ask them to complete online forms with their bank or credit card details in order to receive it.
Phil D'Angio, security expert at VeriSign, said: “Key dates such as tax return deadlines present golden opportunities for fraudsters to target people made vulnerable by processes that they may find confusing. But whatever the occasion, phishing sites are easily spotted when we know what to look out for.
“In this case, Revenue and Customs issued clear directions – taxpayers will only be informed of tax returns by post, so any emails claiming to be from this body should be ignored. However, phishing scammers don't need a specific date or deadline as an excuse to attempt to defraud individuals – emails asking for confirmation of personal information of any sort, those promising cheap online deals or emails issuing warnings on closures of bank accounts should all be deleted without taking any action.”
Trusteer, a browser security and fraud prevention specialist, said that these reports prove the increasing ingenuity - and topicality - of cyber criminals. Its CEO Mickey Boodaei claimed that HMRC attacks are twice as successful as banking phishes for the simple reason that taxpayers are tempted by the prospect of a cash rebate direct to their bank account.
He said: “The `carrot' of free cash also persuades many internet users to lower their normal credulity guard and, when they see a choice of bank sites from the `HMRC landing page', they click on the link and immediately start entering their bank and other personal details.”
He further encouraged users to ‘fire up a search engine and look for reports of a possible scam on the internet' when they receive what appears to be a free cash giveaway or deal that looks very tempting.
For example, entering the words `HMRC tax refund email' into Google returns a series of links. The first one says: "HM Revenue and Customs (HMRC) would not inform customers of a tax rebate via email, or invite them to complete an online form to receive a rebate of tax...
Boodaei did claim that HMRC is the perfect phishing target, as it allows the cyber criminals to set one page and one email message that target all banks at once, instead of setting a different message for each bank. This is much more efficient.
Secondly, while many online bankers know not to follow links to their bank's website, a message from HMRC seems less suspicious.
“Cyber criminals are using automated tools to generate these attacks and therefore they can generate a high volume of attacks in a very short space of time, ” said Boodaei.
Mick Paisley, head of information security and business resilience at Santander, said: "There is no end to the tricks fraudsters will use to try and pull the wool over the eyes of an unsuspecting public. The nature and timing of this phishing makes it hard for people to ignore and the promise of money back from anyone is interesting, the promise of money back from the taxman is, to many people, far too good to let pass.
"Unfortunately, this type of timely attack could see many people falling for it. We would urge all Alliance and Leicester customers to do all they can to protect themselves. First, be wary when clicking on a link in an email from an external source.
“Most importantly, our internet banking customers should download and install the free Trusteer Rapport software, which protects users from sharing their banking details with these fraudsters, while also allowing us to take aggressive action to take down these criminal sites as quickly as possible.”