Video Screencast Help
Symantec Intelligence

MessageLabs Intelligence Warns of Tax Season Phishing Scams

Created: 29 Mar 2010
MarissaVicario's picture
0 0 Votes
Login to vote

By Mathew Nisbet, Malware Data Analyst

‘Phishing’ has been around since 1996, and refers to the attempted theft of sensitive information such as usernames, passwords, or credit card details by impersonating a trustworthy source such as a bank.

Below is a typical example that MessageLabs Intelligence sees on an almost daily basis. It is impersonating the HMRC (“her majesty’s revenue and customs,” the UK tax office).

As you can see, the scammers are quite good at making an e-mail look legitimate. Someone who has never received an official e-mail from the tax office would have no reason to suspect this was not genuine on first glance. The logo is correct, and the links in blue along the bottom go to the genuine HMRC website. However, the link in green in the message itself does not go to an official page. It goes to a fake page where any information entered is sent to the criminals behind the attack, and could then be used to gain access to the victim’s personal accounts, or to impersonate the victim.

Impersonating the tax office is becoming an ever more popular angle for the phishers. It is possible they get better returns from this than they do impersonating other organisations. People often resent having to pay tax, it could be that they are a little more willing to believe these scams if they already believe they are paying more than they should be.

This chart shows the percentage of phishing over time that is impersonating the HMRC, the IRS (the Internal Revenue service – USA), and the ATO (Australian Taxation Office). As you can see, HMRC phish is becoming more and more common over time, and IRS phish has been seen in very high levels on occasion. So far, ATO phish has been relatively uncommon.

It’s not just these three countries that are used in this way. The tax offices of other countries are also used, though the volume is much lower than it is for the three mentioned previously. The following is an example showing a phishing mail impersonating the Income Tax Department of India. The link in the email that you can see does not exist, and if you click on it, it is not the URL you are taken to. Where you end up is a fake site that asks for lots of personal information and bank card details.

As well as phishing, we also see criminals impersonating institutions like the IRS in an attempt to spread malware. The link in the example below, for instance, takes the victim to a website that attempts to install a malicious file on their system.

Another example below, also exploiting the IRS, also takes the user to a website which attempts to install malware believe to be a variant of the Zeus botnet Trojan, but the linked site is no longer available for full analysis of the malware. For more information about Zeus, please visit:

As always, the best way to be safe is to make sure your AV software is always fully up to date. But further to this, you should make sure you never click on a link contained in an unsolicited mail. None of the organisations mentioned above send out tax notifications by e-mail. If you receive something that says you are owed money by a government department, you should get in touch with them yourself to be sure, by phone, or in person at your local tax office.