By Andrew Brandt
Unlike previous tax-themed scams, which have been based on the stick — fake warnings or penalties supposedly issued by the Internal Revenue Service and its UK counterpart the HMRC — these carrot Tax Refund Online Form frauds promising payouts appear to originate from different countries’ tax authorities, notably those of India and Canada.
We’ve come across a number of identical pages that have been cleverly designed to resemble the appearance of the Web sites of India’s Income Tax Department and the Canada Revenue Agency (CRA). The fake CRA “Tax refund online form” claims that the recipient will receive CAN$386 — a nontrivial sum — if they provide the necessary credit card information in the form. Wait, what?
The fake page supposedly from India (which inexplicably refers to the Indian Ministry of Finance as the IRS) tells prospective victims that they stand to gain a whopping 820.50 rupees for filling out a form with not only full credit card details but also a bank account and routing number, and debit card PIN, then waiting two to three business days for the information to be “processed” or, as we call it in this country, “stolen, used to commit fraudulent purchases, then discarded.”
And yes, you read that right – 820.50 rupees. For those unfamiliar with current rupee-to-dollar exchange rates, at a little over 46 rupees to the dollar, that’s a false promise you will receive…wait for it…nearly eighteen US dollars.
News flash, income tax filers: If you have been following the law and filing tax returns, and your respective government wants to issue you a refund, they already know where your bank accounts are.
Another tax-themed phishing scam in circulation is packaged as a page designed to look like the HMRC‘s Web site. That’s right, Her Majesty’s Revenue and Customs is in the crosshairs once again. The scam is somewhat similar to those targeting Canadian and Indian taxpayers, in that victims are invited to provide bank details so they can obtain direct deposit of a promised tax refund. But there’s a twist.
Instead of giving you a form where you are supposed to provide the information to the HMRC, the page tells you to “click on your bank’s logo to continue” and then lists the logo of ten major banks in the UK: Barclays, Lloyds TSB, Halifax, Abbey, HSBC, Cahoot, RBS, Egg, NatWest, and Alliance Leicester.
And when you click through to the subsequent page, you’re presented with a very good (though entirely fraudulent) reproduction of the Web site of whichever bank’s logo you clicked. And that is where your account details are requested and (if you provide them) stolen.
The scale of the HMRC phishing attack makes it kind of unexpectedly comprehensive, in a criminally evil sort of way. It is probably the largest collection of different phishing pages I’ve seen hosted in a single location, with ten banks’ Web sites accurately reproduced solely for fraudulent purposes, along with a passable imitation of the HMRC’s Web site, all in one neat and tidy package.
In all the documented cases linked above, the phishers didn’t even bother to hide the false URL from which these scams originate. So it should go without saying that it should be extremely easy to identify the fraud simply by looking at the URL in the address bar and recognizing that the URL is not the one the tax authority or bank normally uses.