The hidden technology behind tax phishing

The hidden technology behind tax phishing
(Image credit: Shutterstock)

Tax phishing scams are incredibly common in the UK, so much so that HMRC publishes a guide of the most common types. While they appear most often around key tax deadlines (e.g., January self-assessment, corporate filing in March) they can happen year-round.

About the author

Richard Meeus is Director of Security Technology and Strategy at Akamai.

Phishing attacks can be highly rewarding to criminals - not just financially, but also when it comes to the compromise of sensitive data, resulting in fraud or identity theft - and anyone could be a victim: from an IT freelancer to an SMB with millions of pounds of revenue.

Phishing is often seen as a ‘social engineering’ type of cyberattack, one which relies on tricking the end-user into giving up sensitive information by appearing to be from a trusted source. Cyber attackers will also often employ technical ‘toolkits’ to help them pull off their scams. Attackers don’t need to be expert hackers to successfully pull off a phishing attack because there is a huge criminal ecosystem of ready-to-use toolkits available to buy on the dark web. Tracking the evolving use of these toolkits can tell us much about underlying cybersecurity trends.

In order to better understand the nature of these recurring scams, we tracked five of the most significant phishing toolkits being recycled and redeployed over the last two years. Here we share our key lessons from the data to help better protect, inform, and empower consumers.

Scammers cash in on uncertainty and fear

Over the last 18 months, we have seen a surge of tax-based phishing scams that have been customized to reference Covid-19, with messaging related to the pandemic included in almost every single one. This is not a new phenomenon, as campaigns are designed to appeal to consumers’ priorities and concerns, but this social engineering technique has been particularly prolific through 2020/21.

Many scams mention government aid programs and changes to filing schedules, imitating legitimate websites. For example, two well-known scams have imitated the HMRC, purportedly offering Covid-19 relief schemes, including “lockdown support plan” and “Covid-19 refund”.

According to our research, there was an increase in the volume of scams just after the pandemic began in April 2020. By tapping into existing fears and concerns around financial insecurity, the scammers are increasing the volume of this type of campaign to take advantage.

Tax scams are constantly appearing

We tracked three UK scams which, in total, created over 1000 phishing domains, with one particular scam utilizing 650 domains.

We found toolkits all appearing at different times utilizing hundreds of domains and impacting multiple organisations. While some were present throughout our tracking - likely to go back to before 2019 - one scam was first identified in July 2020.

When it comes to evolving existing scams, we have found that criminals will often take a particular attack vector and tweak and fine tune it over time - sometimes these changes are made to the technical apparatus and at others it is to the wording.

Phishing criminals leverage the news agenda, exploiting and inciting fear and making use of hard deadlines to maximize the effectiveness of phishing attacks and create a sense of urgency.

For example in December 2020, the day after Boris Johnson announced the vaccine rollout scheme, phishing emails were already being distributed offering the vaccine. This attack was ready to go and deployed as soon as the news agenda could make it viable.

Once a phishing kit has deprecated it is dialed back or removed, making way for new and improved toolkits that have learned from the successes and failures of their predecessors. In this way, tax scammers’ toolkits follow a similar life-cycle to a normal product, meaning that no two years of scam-tracking are the same.

Preparing for the next phase

As we have seen, tax scams are, by their very nature, insidious, manipulative and incredibly damaging. They tap into our fears and priorities in order to exploit, steal from, and imitate their victims.

Criminals will continue to hit us when we are most vulnerable and will do all they can to get us to engage with their scams by leveraging social engineering and harnessing the sentiments associated with global events like Covid-19.

One key area where we expect to see a rise in attacks is via mobile devices. Victims are particularly vulnerable here and criminals will increasingly target this medium. This is likely to be both by explicitly executing targeted mobile user campaigns or, more implicitly, by the way we increasingly consume and use Internet services on our smartphones.

The displacement of many workforces is also making mobile device attacks more appealing as more work-related applications and services are accessible from these devices. This creates a sustained attack surface that criminals will certainly take advantage of, and will continue to be a challenge as we navigate new hybrid ways of working.

Richard Meeus

Richard Meeus is Security Technology and Strategy Director for Akamai's EMEA region and is responsible for technical strategy across the region.

He is a highly experienced and commercial pre-sales executive with a strong 20+ years track record in EMEA, including 11 years of continuous knowledge building of MEA countries. Focussed on building solutions and ensuring customer satisfaction. Passionate about delivery and technical development, commercially aware and with strong stakeholder management skills.