Catches of the month: Phishing scams for July 2020

As we enter the second half of the year – and the fourth month of lockdown restrictions in the UK – the security threats posed by COVID-19 rage on.

Indeed, the cycle of attacks has been evolving so rapidly that fraudsters are circling back to a scam they had great success with earlier in the pandemic.

We provide a detailed breakdown of how it works in this blog, where we also discuss a phishing scam targeting WordPress website administrators.

Fresh wave of fake COVID-19 tax rebates

Scammers are again sending text messages purportedly from HMRC, claiming that recipients are entitled to a tax rebate.

This was one of the first widely reported phishing scams to exploit the coronavirus, when it was particularly successful because it came at a time when people were concerned about being furloughed and the overall economic fallout of the pandemic.

Warnings about the scam became so prominent that, by early April, scammers abandoned it almost entirely. However, Griffin Law recently announced that its staff had been targeted by a new version of the campaign.

It begins with a text message supposedly from HRMC, and directs users to ‘’ in order to receive their tax rebate.

Although you might mostly associate phishing with email scams, it’s becoming increasingly common for attacks to begin by text, as in this instance, or by social media.

There are several reasons for this. First, texts and instant messages are suited to shorter messages, which means there is less chance that a grammatical error could tip the scammer’s hand.

Similarly, scammers don’t need to worry about replicating the design and imagery of a legitimate brand’s email correspondence.

Another reason is that most email systems have spam filters that detect the majority – although definitely not all – scam emails, whereas that’s not the case with texts.

Consequently, more messages will reach recipients, and those that follow the link won’t be alerted to an insecure page – which might cause them to re-evaluate the authenticity of the message.

The Griffin Law employees who followed the link were directed to a website that looks very similar to the UK Government’s site.

The page asks visitors to fill in their personal details, including their name and home address, before it supposedly calculates the refund that they are entitled to – although no matter what information you provide, the sum is always £324.37.

From there, users are asked to provide their full payment card details and, in a new twist, their passport number to verify their identity.

The breadth of information that this scam targets makes it incredibly dangerous. Anyone who hands over everything that’s asked of them is at risk of a range of attacks, including payment card fraud and identity theft.

Griffin Law said that around 80 self-employed London-based workers had reported receiving the scam to their respective accountant.

According to Stav Pischits, the CEO of the London-based cyber security firm Cynance, the targets of the scam were chosen because they were all company owners or registered directors, and therefore have the responsibility of being an employer and managing staff salaries.

As such, anyone who holds a similar position in their organisation should be especially vigilant – although it bears reminding that anyone is a potential victim of this scam.

See our dedicated blog on coronavirus phishing scams for more stories like this.

WordPress admins targeted by fake DNS updates

Researchers at Sophos recently discovered a phishing scam that imitates WordPress and targets website owners and administrators.

The message claims that DNS (domain name server) security features will soon be added the recipient’s website domain. All you need to do is log in and upgrade your site.

The update that the scam refers to – DNSEC (DNS Security Extensions) – really exists. It’s a protocol that adds authentication to DNS data transfers, mitigating the risk of cyber criminals spamming the DNS database with bogus entries and thus hijacking web traffic.

You can therefore understand why recipients would fall for the scam, even if they took the time to research the content of the message.

Indeed, there’s nothing about the email layout that lets on that it’s a scam. The sender’s email address reads simply ‘WordPress’, the subject line is tailored to the victim and it uses logos and a layout that is consistent with a genuine email from WordPress.

The same is also true of the site that users are sent to if they follow the link. It presents a ‘WordPress Update Assistant’ login page, which asks users to provide their credentials.

Users who provide their details are directed to a 404 error page – which may clue vigilant people in that something suspect has happened. However, we imagine many victims might think it’s simply an error on their end.

Can you spot a scam?

Make sure your staff know how to identify and avoid scam emails with our Phishing Staff Awareness E-Learning Course.

This 45-minute course uses examples like the ones above to explain how phishing emails work, what to look out for and the steps you should take to avoid falling victim.

No Responses