SMS tax scam unmasked: Bogus but believable – don’t fall for it!


Every month of the year has some sort of tax relevance somewhere in the world, and tax scamming cybercrooks take advantage of the many different regional tax filing seasons to customise their criminality to where you live.

In the UK, the 2019/2020 tax year ended on 05 April 2020, and the deadline for filing your taxes electronically was 31 January 2021.

With a January filing deadline, it’s not surprising for UK tax refund scams to kick in about now.

After all, everyone loves a refund, although they’re usually very modest in the UK if you get one at all, because your employer (if you have one) is supposed to get the tax calculations that they do on your behalf pretty close to the target.

So we weren’t surprised, although we were disappointed, to receive our first SMS-based tax scam of the season last night, helpfully submitted by a Naked Security reader:

SMS message allegedly from HMRC, the official name of the UK tax office.
Delivered via a UK mobile number.

[HMRC] A tax rebate of 
£278.44  has been issued to 
you for an over-payment in year 
2019/2020. Please click the link 
to proceed: https://www.hmrev.customs.[REDACTED].com

(HMRC is short for Her Majesty’s Revenue and Customs, and using that abbreviation in the UK is as usual and as expected as saying IRS in the United States.)

As regular Naked Security readers will know, there’s still a significant sector of the cyberunderworld that goes in for smishing, as SMS-based phishing attacks are colloquially known, for three simple reasons:

  • Everyone with a mobile phone can receive SMS messages. There’s no need to guess which internet-based messaging apps you’ve signed up for, because anyone with a phone that can receive calls can receive SMSes too.
  • SMSes are limited to 160 characters, including any web links. So there’s much less room for crooks to make spelling and grammatical errors, and they don’t need to bother with all the formalised cultural pleasantries (such as “Dear Your Actual Name“) that you’d expect in an email.
  • Links in phone messages take you straight to your phone’s browser. Mobile browsers generally have much less screen space to show you the sort of security details that you can access from your laptop browser. Once you’ve tapped on the link and the browser window has filled the screen, it’s harder to spot that you are on an imposter site.