Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec.cloud
Every year tax season is usually exploited by those who seek to make a profit preying on people's trust. Throughout the year MessageLabs Intelligence commonly sees phishing attacks, but there is always an increase around March, as the financial year draws to a close and tax season kicks into full swing.
The chart above shows tax-related phishing as a proportion of all malicious mail (not general spam)
As on can see, there was an increase in traffic in mid February, but even that is less than half of the volume of tax related scams seen throughout March.
Most of the scams that we are seeing are purporting to be from the UK's tax office, "Her Madjesty's Revenue and Customs", or the USA's tax office, Internal Revenue Service".
These phish all use social engineering to try and fool the recipient into giving away their personal information and credit card details. Unlike 419 scams, phishing is characterized by more grammatical language and sophisticated, convincing web pages.
This is an example of a common scam seen this March:
This is an obviously well-written scam and if the recipient didn't know any better, it is reasonably convincing. Also note that it specifically tells the recipient not to try phoning, as "the telephone help line is unable to assist with this application". This is of course never true, official organizations responsible for tax management will be able to assist by telephone. It is simply an attempt to stop the recipient from discovering that the email is a scam.
The page attached to the mail looks like this:
This page has been made to look as much like a real HMRC web page as possible, and they've done a very good job. The colors and logos are all from the actual site, and all the links along the top and bottom link to the correct pages on the genuine HMRC site. However, clicking the submit button sends the data in the fields to a CGI form hosted on what appears to be a compromised legitimate
site for a Spanish hotel company. That CGI page then sends the details to a web email address set up for the purpose, and immediately forwards the user's browser to the following genuine page on the HMRC site:
To avoid having your credit card details and personal information stolen, if you are unsure about any email similar to this, speak to your tax office yourself.
Either go to their site by typing in the address manually and email them with a query, or telephone them and speak to someone. If there are forms you need to fill out, they will be able to direct you to them. Government organizations will never ask you to fill out your credit card details in a form attached to an email.