The hidden technology behind tax phishing

The hidden technology behind tax phishing
(Image credit: Shutterstock)

Tax phishing scams are incredibly common in the UK, so much so that HMRC publishes a guide of the most common types. While they appear most often around key tax deadlines (e.g., January self-assessment, corporate filing in March) they can happen year-round.

About the author

Richard Meeus is Director of Security Technology and Strategy at Akamai.

Phishing attacks can be highly rewarding to criminals - not just financially, but also when it comes to the compromise of sensitive data, resulting in fraud or identity theft - and anyone could be a victim: from an IT freelancer to an SMB with millions of pounds of revenue.

Phishing is often seen as a ‘social engineering’ type of cyberattack, one which relies on tricking the end-user into giving up sensitive information by appearing to be from a trusted source. Cyber attackers will also often employ technical ‘toolkits’ to help them pull off their scams. Attackers don’t need to be expert hackers to successfully pull off a phishing attack because there is a huge criminal ecosystem of ready-to-use toolkits available to buy on the dark web. Tracking the evolving use of these toolkits can tell us much about underlying cybersecurity trends.

In order to better understand the nature of these recurring scams, we tracked five of the most significant phishing toolkits being recycled and redeployed over the last two years. Here we share our key lessons from the data to help better protect, inform, and empower consumers.

Scammers cash in on uncertainty and fear

Over the last 18 months, we have seen a surge of tax-based phishing scams that have been customized to reference Covid-19, with messaging related to the pandemic included in almost every single one. This is not a new phenomenon, as campaigns are designed to appeal to consumers’ priorities and concerns, but this social engineering technique has been particularly prolific through 2020/21.

Many scams mention government aid programs and changes to filing schedules, imitating legitimate websites. For example, two well-known scams have imitated the HMRC, purportedly offering Covid-19 relief schemes, including “lockdown support plan” and “Covid-19 refund”.

According to our research, there was an increase in the volume of scams just after the pandemic began in April 2020. By tapping into existing fears and concerns around financial insecurity, the scammers are increasing the volume of this type of campaign to take advantage.

Tax scams are constantly appearing

We tracked three UK scams which, in total, created over 1000 phishing domains, with one particular scam utilizing 650 domains.

We found toolkits all appearing at different times utilizing hundreds of domains and impacting multiple organisations. While some were present throughout our tracking - likely to go back to before 2019 - one scam was first identified in July 2020.

When it comes to evolving existing scams, we have found that criminals will often take a particular attack vector and tweak and fine tune it over time - sometimes these changes are made to the technical apparatus and at others it is to the wording.

Phishing criminals leverage the news agenda, exploiting and inciting fear and making use of hard deadlines to maximize the effectiveness of phishing attacks and create a sense of urgency.

For example in December 2020, the day after Boris Johnson announced the vaccine rollout scheme, phishing emails were already being distributed offering the vaccine. This attack was ready to go and deployed as soon as the news agenda could make it viable.

Once a phishing kit has deprecated it is dialed back or removed, making way for new and improved toolkits that have learned from the successes and failures of their predecessors. In this way, tax scammers’ toolkits follow a similar life-cycle to a normal product, meaning that no two years of scam-tracking are the same.

Preparing for the next phase

As we have seen, tax scams are, by their very nature, insidious, manipulative and incredibly damaging. They tap into our fears and priorities in order to exploit, steal from, and imitate their victims.

Criminals will continue to hit us when we are most vulnerable and will do all they can to get us to engage with their scams by leveraging social engineering and harnessing the sentiments associated with global events like Covid-19.

One key area where we expect to see a rise in attacks is via mobile devices. Victims are particularly vulnerable here and criminals will increasingly target this medium. This is likely to be both by explicitly executing targeted mobile user campaigns or, more implicitly, by the way we increasingly consume and use Internet services on our smartphones.

The displacement of many workforces is also making mobile device attacks more appealing as more work-related applications and services are accessible from these devices. This creates a sustained attack surface that criminals will certainly take advantage of, and will continue to be a challenge as we navigate new hybrid ways of working.

Richard Meeus

Richard Meeus is Security Technology and Strategy Director for Akamai's EMEA region.

Read more
Concept art representing cybersecurity principles
Cybercriminals cashing in on holiday sales rush
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Everything you need to know about phishing
Hands typing on a keyboard surrounded by security icons
The psychology of scams: how cybercriminals are exploiting the human brain
A graphic showing someone on a tablet working through a supply chain.
How phishing attacks are hitting the supply chain – and how to fight back
Phishing
Corporate executives are being increasingly targeted by AI phishing scams
Paper craft illustration of a suspicious email that contains a snake
How to spot a phishing email
Latest in Security
NHS
NHS IT supplier hit with major fine following ransomware attack
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Latest in News
Screenshot from action RPG soulslike Lies of P
Lies of P Overture won't elaborate on the game's eyebrow-raising post-credits twist, and I think that's good news
Nintendo Switch 2
The Switch 2 launching with a Mario Kart game 'is very unlike Nintendo' compared to the original Switch releasing with Breath of the Wild, says former marketing leads: 'That's what's gonna make you want to buy the new hardware'
Waze voice control
Waze is ditching Google Assistant for Gemini on iOS, and for good reasons
Apple Watch Ultra 2 displaying a step count and distance
Using a smartwatch could be a game-changer for people with diabetes, new research suggests
Focal Bathys MG
Focal just upgraded its audiophile noise-cancelling wireless headphones with even better sound, better noise cancelling, and a way higher price
A PC gamer celebrating, sat in a gaming chair in front of a monitor
Windows 11’s Game Bar gets a fresh coat of paint, plus a tweak to work better on handhelds – and I like the direction Microsoft’s heading in here