The Cofense Phishing Defense Center (PDC) has observed a new email-based phishing scam that aims to harvest Her Majesties Revenue and Customs (HMRC) credentials and sensitive personal information by preying on UK workers who are expecting COVID-19 tax relief grants.
According to Cofense, the threat actors use a legitimate-looking email address (hmrc@hotmail.com) with the impersonated organization in the name and set the name to match (HM Revenue & Customs). They also use the somewhat poorly written subject line of “Helping you during this covid from government.”
Receivers of the email are presented with a notification that the government is offering between £2500 and £7500 in tax grants for those whose ability to work has been affected by the health crisis.
Jake Longden from Cofense PDC explained: “The email includes a link to check their [users’] eligibility. With the government publicly and repeatedly mentioning such sums, the email is believable to inattentive users. The attacker also mentions the ‘Open Government Licence v3.0,’ a legitimate copyright licence used by the Government and Crown Services, to provide additional credibility.”
Once the link is clicked, the user is presented with a realistic clone of the GOV.UK website and asked to enter personal and sensitive data.
“The volume and sensitivity of data requested far exceeds what is required to sign into a legitimate account,” Longden added. “The data requested here screams identity theft/impersonation.”
The user is then directed to a ‘loading page’ which is constructed to give the impression that the data entered is being processed and verified for the tax claim, however the information is in fact harvested by the scammers and no tax relief is generated.