It’s estimated that more than 80% of data breaches are initiated by the recipient dealing with a ‘phishing’ email inappropriately. So, what is happening?
‘Phishing’ emails are emails designed to get you, the recipient, to divulge personal/sensitive data to an unauthorised third-party (a.k.a. ‘scammer’).
The image is a screen grab of one we received today. Looks good, doesn’t it? It’s a very reasonable copy of the genuine HMRC emails that we get from time to time. But it’s definitely not!
The idea of the scam is to get you to click the inviting blue button to “view the important message’. This will take to a website – not HMRC, but one controlled by the scammers. I have no doubt that it too will look pretty much exactly like the official HMRC one. You will enter your HMRC login credentials into the inviting boxes you find there. And – bingo! – the scammers now have your HMRC login details.
“Ah ha” you cry! “I have 2FA set up” – I need to type the security key from my phone in addition to the username & password. This is not a problem. One way around this is that when you attempt to log in the fake website the login will be rejected for some spurious reason. The scammer has been alerted, and is now monitoring your actions. He’s on the real HMRC website with your login details entered. The fake website now asks you to login again. This time the scammer is waiting, sees the 2FA token you type in. And, as long as he can do it within the expiry time of the 2FA token, he now is into your account free and clear. Which won’t end well for you!
How do you protect yourself against this sort of attack? Firstly nothing can be better than your own common sense and attention to detail. Be suspicious of absolutely everything.
You can start by hovering your mouse over the blue button (don’t click it!!). In most cases this will reveal the true destination of the button click. In this case the destination website is ‘hairyerotica.com’ – which doesn’t sound like HMRC to me! Just be aware that this might not work well on your smartphone, so be really careful with this.
If it looks OK then you can proceed. If there’s the slightest element of doubt use the ‘sandbox‘ feature of your PC’s security endpoint. If a webpage opens make sure it really is where you expect to be (e.g. if it’s not .gov.uk then run a mile). Look at the SSL data. There’s a chance that your PC’s security endpoint will have a database of dodgy websites & jump in to protect you – but this isn’t 100%. There’s a new generation of protection systems designed specifically to protect you from this type of threat which are maturing as we speak. As ever, you can always give us a ring.