Network Security

A taxing business

Share

This scam message was forwarded to me by Paul Brook of ESET UK.

From: "National Insurance"<spoofed email address: not one I've ever come across in my all-too-frequent dealings with the UK tax system...>
Subject: New service message await you from HM Revenue [sic]

Announcement, You [sic] have a new message from HM Revenue & Customs (HMRC). Download attachment below to read.

Once upon a time, mysterious attachments were usually malware. That still happens, of course, though nowadays the camouflage techniques used to hide the presence of malicious binary code are often much more sophisticated. Consider, for example, the heavy use of document formats in combination with zero-day exploits in targeted attacks. Nowadays, though, we also see many examples of scam messages packaged as attachments, often in the hope of evading spam filters.

The rather poorly written article apologizes for delay in delivering an income tax refund. It goes on to observe:

HM Revenue & Customs (HMRC) denies profiting from tax refund delays which leading accountants claim are becoming more widespread and make taxpayers wait months to get back what they are due.

The dispute follows miscalculations of Pay As You Earn (PAYE) liabilities last year, which HMRC originally also denied when reported in this space but later admitted affected millions of people.

Well, that doesn't read much like your average bureaucrat. And not only because the message includes two apologies and a dispassionate summary of the way many people feel about those very real PAYE problems.

But that may have something to do with the fact that the italicized text above is actually stolen wholesale from an article for The Telegraph by Ian Cowie. (That no doubt explains why the English grammar and spelling is better in that section.)

Naturally, it goes on to offer you a link to click on. I've removed it, of course, but I can assure you that HMRC does not require you to login to an insecured site via multiple redirections from a URL whose name suggests a provider of branded strings and Strat whammy bars.

The last few lines are so ill-written it's hard to imagine anyone thinking they could be from a genuine source:

We are very sorry for any inconvinniece [sic] we might have cause [sic] you

Regards

HM Revenue & Customs, Management.

© Crown Copyrigh [sic]

Of course, this is just one of many tax scams that are seen regularly (especially around the end of the tax year) in many parts of the world. But this does give you one kind of tax scam to look out for, a window into the way in which tax scammers think and express themselves (not always as poorly and lazily as in this case). I wish I had time to enumerate all the others...

A taxing business

Sometimes it's useful to look at the nuts and bolts of a scam message to see what it might tell us about other scams.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.