At this time of year, the number of tax scams reaches a high, with fraudsters looking for any chance to cash in on consumers, the self-employed or small businesses who might be excited about potential refunds. Many people now do their taxes online, and cybercriminals are seeing this as a huge opportunity for phishing schemes. Take the recent HMRC email scam which sends fake e-mails asking the recipient to create a “government gateway account” to access information about their tax refunds, and subsequently requests personal banking details.
What’s more, recent ONS figures show that online fraud is now the most common crime in the UK, with almost one in 10 people falling victim. But whilst online fraud is growing, there are various types of scams which can take place, and it’s important for consumers and businesses alike to be aware of the threats.
Phishing emails
For several years in a row, the number of fraudulent schemes targeting clients of financial institutions has been increasing, with attacks becoming more versatile.
Phishing e-mails are the attempt to entice you into providing sensitive information by pretending to be a legitimate organisation (e.g. HMRC). Phishing is a popular way for fraudsters to target people over the Internet, because web browsing has become safer. Popular web-browser developers and Internet security vendors have implemented a range of anti-phishing and other protection tools, making it harder for cybercriminals to propagate their malware through infected web pages.
In 2016 the proportion of spam in e-mail traffic was 58.31 per cent, which is 3.03 per cent higher than in 2015. This was the first registered growth since 2009. The tax season has become a treasure trove of sensitive personal information and financial data, which cybercriminals now see as a quick earning opportunity given that taxpayers are often overwhelmed by the complexity of filing their taxes.
Phone calls
Worryingly, the methods for distributing fraudulent pages have also gone beyond the scope of e-mail. Cybercriminals are using all available means to contact potential victims, whether that be text messages, advertising or social networks. Fraudsters also trick people into giving out information over the phone, which they then use to access an account directly or to send credible-looking phishing e-mails.
Take for example, the recent phone scam in which you receive a call from a local number, where the scammers ask “Can you hear me?”. Responses are then recorded, and if you answer ”Yes”, this is edited to appear as if you have agreed to a purchase. Another example is the investment scam which took place earlier this year, in which a fraudulent company used aggressive sales tactics over the phone with elderly and vulnerable people, to convince them to invest. One victim was convinced to pay a huge £700,000 to the tricksters.
Apps and messaging
In recent years, fraudsters have turned their attention to fraudulent apps, giving cybercriminals access to personal information which they can then secretly extract.
A recent survey by LexisNexis Risk Solution uncovered the fact that 54 per cent of UK Millennials are worried about their identity being stolen through app-based activities. The rise of financial scams was also put down to the app boom, with the British Bankers Association reporting that there was a 54 per cent increase in the use of mobile banking apps on the previous year. These types of platforms, which are only increasing in use, are opening further avenues for financial fraud.
Businesses and consumers alike need to ensure that they are suitably protected when it comes to managing their tax affairs. We continually hear about the variation and complexity of scams, and unfortunately, much like ransomware, some victims give up their hard-earned cash to these criminals.
We would recommend the following top tips for staying safe when managing your tax affairs this year:
- Give yourself plenty of time to file your tax return to lessen the risk of responding to a scam message.
- Don’t trust advice about how to get a refund unless it comes from a tax professional or source that you trust – if in doubt, always double-check.
- Don’t assume that a bank or government agency would have access to your tax details. They will not have granular information about your tax return. Even if it looks legitimate, check over the details first and if in doubt, contact the apparent source of the information using publicly available contact information (not details from the communication you’re trying to verify).
- If using a mobile app to file your tax return, make sure it’s the legitimate app and not a fake, that you’re on a trusted wi-fi network and that you have mobile Internet security that is up-to-date.Do not click on attachments or links in messages that look suspicious or that you have received from unknown people. They could be malicious.
- Do not enter your credit card details on unfamiliar or suspicious sites, to avoid the risk of passing them on to cybercriminals. Fake sites can be made to look just like the legitimate site that they’re trying to spoof. It’s always best to type in a URL yourself and you should always check that there’s a secure connection between you and the site – look for ‘https’ at the start of the address bar.
- Install a security solution on your device, with built-in technologies designed to prevent financial fraud. For example, the Safe Money feature in Kaspersky Lab solutions creates a secure environment for financial transactions.
David Emm is Principal Security Researcher at Kaspersky, a provider of security and threat management solutions.
David joined Kaspersky in 2004. He is a member of the company's Global Research & Analysis Team (GReAT) and has worked in the anti-malware industry since 1990 in a variety of roles, including that of Senior Technology Consultant at Dr Solomon's Software, and Systems Engineer and Product Manager at McAfee.
In his current role, David regularly delivers presentations on malware and other IT security threats at exhibitions and events, highlighting what organisations and consumers can do to stay safe online. He also provides comment to broadcast and print media on the ever-changing cyber-security and threat landscape. David has a strong interest in malware, ID theft and the human aspects of security, and is a knowledgeable advisor on all aspects of online security.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.