HMRC tax return phishing twice as likely to defraud users

Banks urge customers to protect themselves from increasingly clever cybercriminals by downloading and installing Trusteer Rapport

London, UK, 1st February 2010 – Reports about a phishing scam involving an HMRC tax refund prove the increasing ingenuity - and topicality - of cybercriminals, says Trusteer, the browser security and fraud prevention specialist.

"Our research of millions of Internet users shows that the HMRC attacks are twice as successful as banking phishes for the simple reason that taxpayers are tempted by the prospect of a cash rebate direct to their bank account," said Mickey Boodaei, Trusteer's CEO.

"The `carrot' of free cash also persuades many Internet users to lower their normal credulity guard and, when they see a choice of bank sites from the `HMRC landing page' they click on the link and immediately start entering their bank and other personal details," he added.

The net result of this is not, he went on to say, a credit to the recipient's bank account, but usually a fraudulent debit - or series of debits - that empty the account by cybercriminals.

Mick Paisley, Head of information security and business resilience for Santander, explained: "There is no end to the tricks fraudsters will use to try and pull the wool over the eyes of an unsuspecting public. The nature and timing of this phishing makes it hard for people to ignore the promise of money back from anyone is interesting, the promise of money back from the Tax man is, to many people, far too good to let pass.

"Unfortunately, this type of timely attack could see many people falling for it. We would urge all Alliance & Leicester customers to do all they can to protect themselves. First, be wary when clicking on a link in an email from an external source. Most importantly, our Internet Banking customers should download and install the free Trusteer Rapport software, which protects users from sharing their banking details with these fraudsters, while also allowing us to take aggressive action to take down these criminal sites as quickly as possible."

According to Boodaei, when Internet users receive what appears to be a free cash giveaway, or deal that looks very tempting, the first thing they should do is move away from the computer and make a cup of tea, coffee or another favourite beverage.

They should then sit down with their beverage, fire up a search engine and look for reports of a possible scam on the Net.

For example, he says, entering the words `HMRC tax refund email' into Google returns a series of links, the first one of which says: HM Revenue & Customs (HMRC) would not inform customers of a tax rebate via email, or invite them to complete an online form to receive a rebate of tax...'

“In much the same way that banks would never discuss sensitive financial matters by email, so revenue and customs would not discuss financial matters such as tax refunds by email. In any event this kind of message also falls into the ‘too good to be true’ category used by online fraudsters,” said Nick Staid, Director, Get Safe Online.

This search engine approach works well with most emails that appear to be too good to be true as the chances are that other Internet users have received a similar message and carried out their own research, the Trusteer CEO explained.

Boodaei says that the rate of HMRC phishing attacks has been pretty constant throughout the year. About 1 in each 3 financial phishing attacks in the UK is targeting HMRC.

The victim lands at a Web page that is similar to the HMRC Web site where they are requested to click on their bank's logo - most attacks will show logos for 5 to 10 UK banks. When the victim clicks on one of the logos they arrive at a fraudulent Web site that looks like the bank where they are requested to log on.

"It's at this point their login information is being stolen," he said.

Trusteer has found that HMRC is the perfect phishing target for various reasons:

Firstly it allows the cybercriminals to set one page and one email message that target all banks at once, instead of setting a different message for each bank. This is much more efficient.

Secondly, while many online bankers know not to follow links to their bank's Web site, a message from HMRC seems less suspicious and less educational effort was put in place not to open HMRC emails.

For these reasons users are more likely to fall prey to HMRC phishing attacks. Many of the phishing pages are hosted on legitimate compromised sites and Trusteer has even seen government Web sites across the world hosting HMRC phishing attacks.

Cybercriminals, says Boodaei, are using automated tools to generate these attacks and therefore they can generate a high volume of attacks in a very short space of time.

As well as using the search engine method of researching the provenance of 'emails bearing gifts,' Trusteer recommends against users clicking on links within emails.

Trusteer recommends that users type in the name of the institution whose Web site you are trying to access. In addition, before submitting login information check that the Web site uses HTTPS and a padlock appears in the Web browser to confirm a secure connection.

"The major banks are using EV-Certificates which means the address bar should turn green and the name of the institution will appear on the bar. Banks employ highly professional security experts and are closely monitoring the problem. Their advice is the most likely to keep you away from fraud," he said.

"Our Trusteer Rapport system now in use by RBS, Natwest, Santander, HSBC, and others constantly monitors HMRC phishing attacks against online bankers. In addition to blocking these attacks and reporting them to subscribing banks, the system is also capable of monitoring attack trends and inform banks of the main threats their customers are facing over time," he added.

"This valuable information allows banks to mitigate these threats in various ways, reducing the level of threat and potential losses."

For Example screenshots of HMRC phishing sites see and

For more on Trusteer:

Alliance and Leicester customers can download Rapport from the following link:

For more on the HMRC tax rebate phishing scam:

Rapport from Trusteer is a lightweight browser plug-in plus security service that prevents criminals from tampering with a user’s browser and protects against man-in-the-browser, man-in-the-middle, and phishing attacks. When users browse to sensitive websites such as internet banking, Webmail, or online payment pages, the Rapport plug-in immediately locks down the browser and prevents any unauthorized access to web pages and confidential information that flow through the browser. Trusteer also offers in-the-cloud reporting services. When unauthorized access attempts are detected by Rapport, these are analyzed by fraud experts who provide actionable intelligence to financial institutions.

Trusteer enables online businesses to secure communications with their customers over the Internet and protect PII from a user's keyboard into the company's Web site. Trusteer's flagship product, Rapport, allows online banks, brokerages, healthcare providers, and retailers to protect their customers from identity theft and financial fraud. Unlike conventional approaches to Web security, Rapport protects users' PII even if their computer is infected with malware including Trojans and keyloggers, or is victimized by pharming or phishing attacks. Trusteer is a privately held corporation led by former executives from Cyota/RSA Security, Imperva, and NetScreen/Juniper. For more information visit

Source: Eskenzi PR Ltd.