Tax season, the time of year you find out your filing system isn’t as organized as you thought and you’re left scrabbling around trying to find the necessary documents to submit your tax return.

That’s not to say we’re not given ample warning by HMRC, who send dozens of notifications via post, email, SMS and social media as well as other modes. HMRC do their best to fully inform taxpayers of upcoming deadlines, so much so that 94% of taxpayers file their taxes on time. But due to the comprehensiveness of their communications campaign, fraudsters have recognized the tax season as an opportunity to pry Personally Identifiable Information (PII) from people.

The problem is vast, and growing at an alarming rate. Nearly 900,000 suspicious contacts were reported to the HMRC in 2018/19 with 620,000 referring to fraudulent tax rebates.

HMRC has been tackling phishing emails, smishing and cold calling by working with third parties to take down phishing sites and disconnect phone lines associated with scams.

The self assessment tax return deadline has been and gone (31st January), but there will undoubtedly be a few stragglers still submitting their returns; the Wandera Threat Research Team thought it would be opportune to discuss some of their phishy findings.

What did the Wandera Threat Research find about HMRC tax phishing?

Scam artists are often very tactical with their phishing campaigns, targeting keywords searches and sending messages on current topics. This behaviour is also observed as an uptick in the number of observed tax refund related phishing sites around the tax self assessment tax deadline.

In January 2020, there is a clear spike in tax related phishing sites relative to previous months.

tax rebate phishing

The danger of the tax rebate phishing sites is that they request PII (name, address, phone number, email) as well as credit card details to provide taxpayers their “refunds”.

With other regularly used sites, like Amazon and Google, targets of a phishing attack are likely to have a better understanding of the user experience and associated processes (checkouts, verification, etc.). However, self assessment tax returns come but once a year, so users are less likely to be familiar with the process and, therefore, more vulnerable to phishing.

And this is just for the online tax return. The UK tax system is notoriously opaque, which allows scammers to take advantage of the lack of public understanding.

The Technical Findings

Almost all the phishing sites found were using a lower-level subdomain – 4th, 5th, 6th:
online.hmrc[.]gov[.]uk.account[.]login[.]level7[.]co[.]in

The above domain is a good example of a URL structured for deception. Using online.hmrc.gov.uk as a series of deeper subdomains gives the impression that the site is in some way connected to the government body. URLs of this kind are particularly problematic on mobile devices, where the URL is cut off due to the size of the screen. If a user is not careful, it’s very easy for them to be deceived by this tactic.

The phishing domains Wandera detected came from a variety of sources, including known bad actors and unknown potentially malicious registrants looking to launch zero-day attacks. None of one of the sites with lower-level subdomains were associated with any official government bodies.

The Wandera Threat Research Team also detected a number of zero-day threats throughout the course of its research (see Appendix).

It’s unlikely victims are typing these domains directly into their browsers, being served them on Google or stumbling across them on Facebook. So how are they navigating to these sites?

In the past email has been the go-to option for phishing campaigns. The Government has a site dedicated to raising awareness for scams and provides examples, but our Threat Research Team has broken down a couple of HMRC phishing emails they spotted.

HMRC Smishing Example

The Wandera Threat Research Team recently stumbled on a very elaborate tax rebate smishing scam.

The first thing to note is that the smishing message came from a suspicious mobile number, one that has been red flagged on who-called.co.uk.

The second is the URL https://tax.account-4refund.com, it doesn’t have any affiliation with gov.uk, the UK government’s official domain, which entities like the HMRC hang off.

Thirdly:

“HMRC only informs you about tax refunds through the post or through your pay via your employer. All emails, text messages, or voicemail messages saying you have a tax refund are a scam.”

On clicking on the link, it takes you to a site that is indistinguishable from the look and feel of the government site.

The form requests the victim’s PII before routing to a secondary phishing page mimicking the relevant bank.

Once the victim enter’s their banking information they are potentially enabling their personal finances to be stolen.

HMRC Phishing Emails

The example emails below aren’t necessarily connected with the aforementioned campaigns, but they do provide an idea of the tactics used by fraudsters to capture details.

Email 1

hmrc-phishing-email-1
The email sender in this case was OfficeOfTaxRefund-uniqueID-1349188736@cityftmyers[.]com, a seemingly gobbledegook address apart from the strategically placed ‘OfficeOfTaxRefund’ part at the start. However, ‘cityftmyers.com’ is the official domain of the city of Fort Myers, which may mean the email address has been spoofed or email server has been compromised. Either way, the use of cityftmyers.com is likely used to add credibility to the phishing campaign.

In this particular email, there are a number of inconsistencies that raise red flags, such as the password-protected PDF with the password in plain text in the email, expiry dates failing to match, email address used to address the recipient, and generally poor grammar.

If nothing else raises suspicion, the password-protected PDF (from an unknown sender) really should. The phishing links themselves are in the PDF, which contains 13 links pointing to various phishing pages:

  • secured[.]tax[.]refund[.]notification[.]placeholder[.]randyburg[.]com/home/external/
  • department-tax-refund-support-gov-uk[.]placeholder[.]randyburg[.]com/[.]govuk/
  • bgcnr[.]org/derere/logs/
  • getaway-hm-revenue-admin-refund[.]placeholder[.]randyburg[.]com/[.]gatukadm/snes/
  • tax-hm-revenue-govuk-refund[.]diamondmover[.]com/home/hukaep/
  • 0467245847056864790[.]is-an-accountant[.]com/wp-content/themes/zwaters/HM/
  • tax-secured-hm-revenue[.]refund[.]cchasports[.]com/[.]laieukw/vipei/
  • hm-access-revenue-support-uk[.]splashzonetx[.]com/[.]apuk/neuosp/
  • hm-tax-revenue-supp-on-adm-uk[.]pbmsim[.]com/[.]vkwuep/external/
  • usrmep-janeuox-demepqi-por-swnep[.]shadowasylum[.]net/[.]nvuka/external/
  • dep-secured-hmrev-uktax-onadm[.]shadowasylum[.]net/home/accmac/
  • japsep-cerep-snmape-btrecua-slmeq[.]shadowasylum[.]net/[.]brsuk/external/
  • mhieu-beoqem-cmeopaw-slpekqms-bentpsw[.]shadowasylum[.]net/[.]arstw/bropa/

Despite these links not being detected by other vendors, the domains themselves are known to be malicious, meaning that:

  • mhieu-beoqem-cmeopaw-slpekqms-bentpsw[.]shadowasylum[.]net

is not detected as phishing but:

  • shadowasylum[.]net

is known as a malicious domain.

Email 2

hmrc-phishing-email-2The email comes from noreply@hmrc-tax-gov[.]co.uk, a domain that has been suspended by the registrar, but it doesn’t seem like a suspicious email address on face value.

The email contains two phishing links masked as legitimate links, the first being:

  • xn—07aaa[.]xn--hmr-szc[.]xn--gv-fmc[.]uk

With the anchor text as:

  • ԝԝԝ.hmrσ[.]gоv[.]uk

On closer inspection, there are some suspicious characters, namely the www, c and o in the URL, in which the phisher has used punycode to mask the actual URL.

There are two instances of another link embedded in the PDF:
hmrc-tax-phishing-pdf

  • hmrc-tax-goverment[.]roomsurance[.]com/?lbs

This link is known to be phishing and this particular domain is related to a known malicious PDF.
But email isn’t the only form of delivery, there is also text.

HMRC Smishing

SMS phishing or smishing is a form of attack exclusive to mobile devices, one that is often overlooked, but not by HMRC…

HMRC has been working with various partners to put a halt to smishing campaigns by identifying ‘tags’ that suggest texts are from HMRC and preventing them from being delivered, leading to a 90% reduction in spoofing reports.

Nevertheless, there is still that 10% of texts that slip through the net and wind up on taxpayers’ devices, potentially posing a threat. We’ve found a few HMRC smishing examples in the wild:

How to protect against HMRC tax phishing?

As always, there are general rules of thumb that need to be applied when looking out for phishing scams. HMRC has a microsite dedicated to helping taxpayers identify phishing scams as well as providing contact details for reporting them. They’re also pretty explicit about what they do and do not send people, and emails on tax rebates is one of them:


It is very tempting to act on an email that is offering free money, especially when you feel you’re due a tax rebate. Don’t let your eagerness get the better of you and consult the HMRC directly.

Appendix

Subset of some of the tax refund domains detected by Wandera:

  • govuk[.]hmrc[.]online[.]refund[.]form[.]p60[.]ref5300655[.]f0rm60[.]com
  • govuk[.]hmrc[.]online[.]refund[.]form[.]refp60[.]121[.]ecetdirectuk[.]com
  • hmrc[.]pendingrefund[.]online
  • hm-revukgovrefunds[.]com
  • gov1[.]tax-refund[.]services
  • hmrevenue[.]pendingrefund[.]online
  • hmrevenueuk[.]pendingrefund[.]online
  • hmrevenueuk[.]servicerefund[.]info
  • gov[.]uk[.]secure[.]refundform[.]ref678432[.]bigtechbintulu[.]tech
  • irs-refund[.]kusseverler[.]com
  • hm-revukgovrefunds[.]com
  • refund-gov-uk[.]tax
  • refund-overpayment-process[.]berryspells[.]com
  • hmrc[.]gov[.]uk-tax-return[.]leesons[.]com[.]au
  • online[.]hmrc[.]gov[.]uk[.]account[.]login[.]level7[.]co[.]in
  • gov[.]uk-money-and-tax-self-assessment[.]migorengasik[.]org
  • hm[.]online[.]gov[.]uk[.]tax-refund[.]cont-gover[.]hakmnews[.]com
  • gov.uk-hmrc-warns-on-tax-refund[.]desc666[.]co.uk
  • gov[.]uk-hmrc-warns-on-tax-refund[.]wfkrqdgz[.]net
  • gov[.]uk[.]tax[.]refund[.]application[.]balajipipe[.]in
  • department-tax-refund-support-gov-uk[.]placeholder[.]randyburg[.]com
  • secured[.]tax[.]refund[.]notification[.]placeholder[.]randyburg[.]com
  • refund-hmrc-tax-support-admin.placeholder[.]randyburg[.]com
  • gov[.]uk[.]tax[.]refund[.]online[.]ssl[.]eldwa[.]com
  • hmrc[.]gov[.]uk[.]yardy[.]net
  • refund-form[.]hmrc[.]gov[.]uk[.]21371623786123618237681273[.]kenmayercpa[.]com
  • refund-form.hmrc[.]gov[.]uk.21371623786123618237681273[.]zondatec[.]com
  • hmcustoms[.]gov[.]uk[.]claims-tax-refunde[.]overview[.]oxuns[.]net
  • onlinetaxrefundsystemverification[.]victoriahaneveer[.]com
  • taxrefundonlineverificationsubmit[.]timbuchinger[.]com
  • taxrefundonlineverificationsystems[.]dealingwithautism[.]org
  • gov[.]co[.]uk-tax-return-application-hm-rc-p60-form-secure-login[.]gov[.]uk[.]desproj[.]com
  • gov[.]uk[.]hm[.]revenue[.]tax[.]return[.]application[.]securessl[.]thejournalists[.]org
  • gov[.]uk[.]personal-tax-account-hmrc-refund[.]profileipsodopa[.]com
  • gov[.]uk[.]personal-tax-account-hmrc-refund[.]support291[.]com