Web of deceit

It is tempting to see the internet as a vast warren of streets where a Fagin’s kitchen of Artful Dodgers lurks behind every website, constantly trying to pick your digital pocket.

“We were not going to be beaten and we rolled up our sleeves to protect customers.”

That’s certainly how it comes over during a conversation with one of the top cybercrime-busters working for HMRC. With over 30 million UK taxpayers, all of whom expect to receive perfectly legitimate communications about their tax returns, HMRC is one of the biggest targets for criminals. Emails and more recently texts to mobile phones are sent out purporting to come from the taxman in an effort to extort money or obtain personal banking details.

A nondescript office block in a Yorkshire city is where Don Wooller and his team constantly monitor suspicious emails, texts and websites. It’s one of two cybercrime command centres in the UK and their fight has had some notable successes. In the last year they presided over a reduction of 450 million phishing emails, and can now claim to stop almost all fake @HMRC.gov.uk phishing emails from reaching their customers’ inboxes.

In addition, they have closed down 16,000 websites attempting to masquerade as HMRC. In a notable success earlier this year, HMRC forced a Panama company to hand over fake tax domains they had set up, including hmrc-onlines.co.uk, hmrc-tax.co.uk and hmrcsubmitareturn.co.uk.

Across all UK companies and agencies cybercrime, including fraudulent emails – known as “phishing” – was responsible for the theft of £5.9 billion in 2016-2017. HMRC has not revealed figures for scams resulting from its copycat emails, but the scale of the taxman’s anti-cybercrime operation suggests it is a serious problem.

Wooller sits at his computer and calls up a typical email sent by one of the scammers. Although the sender appears to be HMRC, when he hovers his cursor over the sender’s name the real source is revealed: a long email address made up of seemingly random letters and numbers ending with “.bd” which is the top level domain for Bangladesh. Others might end with .ca for Canada but, says Wooller, the top-level domain is not much of a clue as to the origin since webspace can be bought pretty much anywhere.

But if the email sender line didn’t raise the recipient’s suspicions then the wording of the email should have done. It read: “You are informed that after reviewing your statements we have figured out that we owe you a tax refund of £265.84 GBP from the last tax year payments. It is our earnest request to you to please collect your refund from us by following the Get Started button you see in the next line.” Her Majesty’s tax inspectors are unlikely to use language like “figured out”, nor are they likely to issue an “earnest request.”

The Get Started button leads to a web page that carries the familiar HMRC branding, an authentic look that tricks people into feeling reassured they are but a few clicks away from an unexpected and very welcome tax windfall. All they have to do is fill in their bank account details, including security number, as well as personal information like driving licence and national insurance numbers plus a variety of private details such as their mother’s maiden name.

Once they click to send the form they find themselves redirected to a webpage that is actually the genuine website of their bank, which adds to their belief that the whole process is totally above board.

But there is a shock in store, and not just that the refund won’t materialise. The now-compromised bank account can be accessed by the criminals and funds transferred. Meanwhile, the personal information will be sold on the dark web, an area of the internet that requires special software to access and is favoured by criminals because it can be used anonymously. Such personal information will be attractive to anyone engaged in the business of identity theft.

Closing down malicious websites like the one mimicking HMRC’s in the scam is all part of the daily routine for Wooller and his team.

“Sadly,” Wooller says, “this has resulted in criminals using different approaches to deceive the public, including the use of SMS phone text phishing, which we call smishing. The volumes of smishing attacks grew significantly during 2016 and 2017 and evidence shows that people are nine times more likely to be duped by phone text attacks than by email because they can appear very credible.”

This is how it works. A text that looks like it’s officially sent by HMRC says you are due a tax refund. A clickable link then leads to a seemingly credible website which requires you to enter your personal banking details in order to receive the refund. The payment doesn’t materialise, of course. Instead, as with the email scam, money disappears from the victim’s bank account.

Wooller’s team found that customers were falling for texts more than emails, since they receive phone messages instantly rather than waiting to log on to email accounts. “And then the bad guys got cleverer,” he says. “When we started to tag our own texts with what we call alpha tags, which show the identity of the sender, these bad guys realised they could do that as well. They started using the same tags, so effectively you might get a genuine message from us to say it’s time to fill in your tax return, and the criminals managed to attach messages to the same string. It looks credible and there’s a good chance people would fall for that.”

This was a huge challenge to Wooller and his team. “But we were not going to be beaten,” he says. “We rolled up our sleeves again to help protect our customers.”

The result was an innovative pilot scheme to immediately identify fraudulent texts that look like they come from HMRC and stop them being delivered to mobile phones. This summer Wooller and his team won a national UK Digital Leaders award for its pioneering work on this cyber security initiative.

Unfortunately, the success HMRC has had in closing down digital frauds forced a number of scammers to resort to what Wooller calls their old “boiler room” method of obtaining money. That is, cold calling by phone.

Audaciously, some have managed to convince vulnerable people that they owe tax and should pay the overdue amount with iTunes vouchers – by sending them to a PO Box address. This has led HMRC to take the unusual step of contacting big retailers like supermarkets with a request to alert their staff to the scam and query any large purchases of iTunes vouchers.

Wooller says there are spikes in phishing and smishing attempts around the time of the end of the tax year in April and after the self-assessment deadlines in September and January.

Once a scam is identified and the fake website that harvests taxpayers’ details is closed down, HMRC makes sure that anyone trying to access it is redirected to its own pages.

So has Wooller ever met any of the cyber criminals engaged in scams? “I haven’t, no,” he laughs. “We work in the shadows. I might have passed one on the street, but I’ve never met one face to face.”

---

Don’t fall for a scam

An authentic email will never begin with words like “Dear Account Holder” or other generic greeting. HMRC will never contact you by email, text message or phone telling you about a tax rebate or penalty or asking for personal or payment information.

HMRC and banks will never send emails with links asking you to click on them to log into your account or verify financial information or passwords. No matter how convincing, do not click on a link. Use the same approach to SMS texts on your phone.

Check GOV.UK for information on how to avoid and report scams and recognise genuine HMRC communications. Forward suspicious emails claiming to be from HMRC to phishing@hmrc.gsi.gov.uk.

Forward suspicious texts to 60599.

If suspicious cold-calling phone calls are received report them to HMRC. If you have disclosed information report this immediately to Action Fraud on 0300 123 2040.

Check with your bank for contact details of their own cyber fraud units.

Use antivirus software and if using HMRC or internet banking websites install the latest version of your web browser.