Mobile Security

The HMRC Tax Return text message

So this one involves your mobile phone. It’s about a text message I received recently from the HMRC. For all those of you outside of the UK, the HMRC is the revenue and customs service. It’s where you pay your taxes. Like the IRS in the US and others.

The message comes from +447392014366 and reads as follows:

Records show your are due a tax return of up to £485. Please follow the link to calculate and claim your refund.

https://gov.hmrc-tax-return.com/

Now, wonderful, the HMRC owes me money … I started thinking what to buy with this extra swag… but as usual, these things are too good to be true.

While, I do admit, the HMRC contacting you because you paid too much tax (or too little for that matter) is a very legitimate thing to happen, this one was a bit odd, because in fact, I had just completed a tax return form a couple of months ago. So for me, this was right away obviously suspicious. But in case you haven’t just recently completed your tax return and you are not too tax savvy, read on on how to identify other obvious issues with this message.

As first things first, the HMRC does not usually send you text messages. They would normally send you a letter in the mail, the brown kind of envelope, which if you live in the UK, you know not to ignore. The old school way, with the nice postman (or postwoman) posting it through the letterbox or knocking on your door.

Now, to cut them some slack, they are kind of modern as well, so if you give them your email address and register with their service, they will also contact you via email, but again, they would never send a message saying “we owe you £500”, but rather something like “you have an important notice regarding your tax, please login into your tax account to read it”. And there will also be a note in the end saying, ” we would never send you information in an email or a text message, please always log into your tax portal or contact us via phone or other contact options” (or something to that extent, I am not actually quoting this.)

Now, that aside, let’s look at this actual text message, and identify the two problems I see in their two sentences:

Records show your are due a tax return of up to £485.

up to? what do they mean up to? They don’t actually know how much they owe me? I don’t think so. Red flag.

Also, notice the website that they offer you to click to get your money:

https://gov.hmrc-tax-return.com/

The problematic part is in bold. The HMRC is a public service website and has a very distinct URL of https://hmrc.gov.uk/

This message does not come from a GOV.UK website, but rather from a hmrc-tax-return.com website, which anyone can register. This is a common attack called “subdomain takeover” where attackers hope that your lack of attention and lack of knowledge, combined with a social engineering attack for instant monetary gain, will lure you into clicking their link, which could make all kinds of bad things happen. There’s an array of possibilities of what can be hidden behind that simple click, that include installing malware on your phone, taking control over your phone, stealing your personal information, etc.

Or it could be something as innocent as them trying to sell you a tax return preparation service. However, a legitimate, professional and serious company that complies with the GDPR laws, would never contact you without solicitation, so at the end of the day these kind of sales tactics are still illegal.

When it comes to clicking links, you should always be vigilant about where this link actually takes you. Make sure the top domains (.com, .org, .gov, .gov.uk, etc) are always AT THE END of the URL. If there are any more .coms or .nets after the .gov, this is obviously a subdomain takeover attack and you should not click the link.

To conclude, by now you are pretty certain this message is not from the HMRC, and what you should NEVER DO is click on that link, or forward that message, as you are putting yourself or someone else at risk.

For research purposes and to show you what happens if you do click, I was very tempted to click on this link, but I decided against it because it came on my personal phone, and my phone is too precious to expose it to this risk for the sake of a blog post. (sorry).

What I did instead (and what you should do as well) was to delete the message immediately and block the number.

At the end of the day, and after reading this post, I think you should be a little better equipped now to have some basic understanding on how to recognize potential scams and risks to your devices.

Stay safe. Educate others. Share.