Tax phishing scams are incredibly common in the UK, so much so that HMRC publishes a guide to the most common types. While they most often appear on key tax deadline dates (eg self-assessment in January, business reports in March), they can occur throughout the year. About the Author Richard Meeus is Director of Technology and Security Strategy at Akamai. Phishing attacks can be very rewarding for criminals, not only financially, but also when it comes to compromising sensitive data, resulting in fraud or identity theft, and anyone can be a victim: from a freelance IT specialist to a small company with millions of pounds. in income. Phishing is often seen as a type of “social engineering” cyberattack, which involves tricking an end user into divulging sensitive information by appearing to come from a trusted source. Cyber attackers also often use technical "toolkits" to help them carry out their scams. Attackers do not have to be expert hackers to succeed with a phishing attack, as there is a huge criminal ecosystem of ready-to-use toolkits available for purchase on the dark web. Tracking the evolution of use of these toolkits can tell us a lot about underlying trends in cybersecurity. To better understand the nature of these recurring scams, we've tracked down five of the largest phishing toolsets recycled and redeployed in the past two years. Here we share our key lessons from data to help better protect, inform and empower consumers.
Scammers prey on uncertainty and fear
Over the past 18 months, we've seen a wave of tax phishing scams that have been customized to reference Covid-19, with pandemic-related messages included in almost all of them. This is not a new phenomenon, as campaigns are designed to address consumer priorities and concerns, but this social engineering technique has been particularly prolific up until 2020/21. Many scams mention government assistance programs and changes in filing hours, imitating legitimate websites. For example, two well-known scams have imitated HMRC, allegedly offering Covid-19 relief programmes, including a "lockdown support scheme" and a "Covid-19 refund". According to our research, there was an increase in the volume of scams just after the start of the pandemic in April 2020. By exploiting existing fears and concerns about financial insecurity, scammers are increasing the volume of these types of campaigns to enjoy themselves.
Tax scams keep popping up
We've tracked down three scams in the UK that in total created over 1000 phishing domains, with one specific scam using 650 domains. We found toolkits appearing at different times, using hundreds of domains, and impacting multiple organizations. While some were around throughout our monitoring, likely before 2019, a scam was first identified in July 2020. When it comes to expanding existing scams, we've found that criminals often take on a particular attack vector and they change and perfect it over time; sometimes those changes are made in the technical apparatus and others in the writing. Phishing criminals take advantage of the news, exploit and instill fear, and use strict timelines to maximize the effectiveness of phishing attacks and create a sense of urgency. For example, in December 2020, the day after Boris Johnson announced the vaccine rollout schedule, phishing emails offering the vaccine were already being distributed. This attack was ready to go and was deployed as soon as the current schedule could make it feasible. Once a phishing kit is outdated, it is brought back or removed, giving way to new and improved toolkits that have learned from the successes and failures of their predecessors. In this way, tax evaders' toolkits follow a similar life cycle to a normal product, meaning no two years of scam tracking are the same.
Get ready for the next step
As we have seen, tax scams are inherently insidious, manipulative, and incredibly damaging. They take advantage of our fears and our priorities to exploit, steal and imitate their victims. Criminals will continue to hit us when we are most vulnerable and will do everything possible to get us to participate in their scams by leveraging social engineering and exploiting sentiments associated with global events like Covid-19. One key area where we expect to see an increase in attacks is through mobile devices. Victims are particularly vulnerable here and criminals will increasingly target this medium. This will likely be both through the explicit execution of campaigns targeting mobile users and, more implicitly, through the way we increasingly consume and use Internet services on our smartphones. The movement of large numbers of workers also makes attacks from mobile devices more attractive, since more work-related applications and services can be accessed from these devices. This creates a sustained attack surface that criminals will undoubtedly benefit from and will continue to be a challenge as we navigate new hybrid ways of working.