There’s a simple truth I’ve found during my years in computer security.
Often, the oldest tricks in the book will work just fine – you don’t need to make an attack sophisticated for it to dupe the unwary.
Here’s an example, a phishing campaign that has been spammed out claiming to come from the UK tax body, the much-beloved Her Majesty’s Revenue & Customs:
After the last annual calculations of your fiscal activity we have determined that you are eligible to recieve a tax refund
A refund can be delayed for a variety of reasons. As example, for submitting invalid records or applying over the deadline.
To submit your tax refund please click here
Please submit a tax refund request and allow us 2-5 days in order to process it
You would like to think that the taxman would know the rule about spelling “recieve” correctly (“i” before “e”, except after “c”) but maybe you wouldn’t notice that error in your excitement about clawing back some cash from HMRC.
And if you were foolish enough to click on the link you would find yourself taken to a convincing-looking website.
Did you notice how they cheekily point you towards their “privacy notice” as they trick you into handing over your email address, name and date of birth?
Of course, you don’t have to be a security greybeard to know that it’s a good idea to check out the web address in the browser’s URL bar, but how many people do?
The truth is, as the organisation explains on its real website, HMRC will never inform you about a tax rebate via email:
HMRC will never send notifications of a tax rebate, or ask you to disclose personal or payment information by email. If you have any doubt that an email you receive from HMRC is genuine, please do not follow any links, disclose any personal details or respond to it. Please forward it to HMRC at firstname.lastname@example.org then delete it.
Take care folks, and don’t let a simple phishing email trick you into handing over your personal information to scammers and fraudsters.