A nondescript office block in West Yorkshire is on the front line in the battle against cyber crime in the UK. Roger Ratcliffe went to find out more.
Almost everyone has received at least one seemingly authentic email that is, in reality, the first step in an internet scam. Someone is attempting to withdraw funds from your bank account, it might read, so you are advised to click on this link and sign in to change your password.
In 2017, 17 million people in the UK succumbed to a variety of online rip-offs and found themselves out of pocket to the tune of a staggering £5.9bn.
The methods are getting more and more sophisticated, and every large financial organisation has set up a team of cybercrime busters. In the UK there is no bigger target for fraudsters than HM Revenue & Customs (HMRC), and one of its two special units for fighting cyber scams is based in Yorkshire.
There are over 30 million UK taxpayers, all of whom expect to receive legitimate communications about their tax returns, and criminals send out emails and texts, or phone people posing as tax inspectors, to try and extort money or obtain personal banking details.
From a shoe-box office block in West Yorkshire Don Wooller and his team constantly monitor suspicious emails, texts and websites, and their fight has had some notable successes. In the last year they presided over a reduction of 450 million of so-called “phishing” emails and recently claimed to stop almost all fake @HMRC.gov.uk emails ever reaching their customers’ inboxes.
In addition, they have closed down 16,000 websites attempting to masquerade as HMRC, an indication of the problem’s scale. Earlier this year, they forced a Panama company to hand over fake tax domains it had set up, including hmrc-onlines.co.uk, hmrc-tax.co.uk and hmrcsubmitareturn.co.uk.
HMRC has not revealed figures for scams resulting from its copycat emails, but the scale of the taxman’s anti-cybercrime operation suggests it is a serious problem. A spike in scamming activity is usually seen at the end of the tax year in April and self-assessment deadlines in September and January.
In his office, Don sits at a computer and calls up a typical email sent by one of the scammers. Although the sender appears to be HMRC, when he hovers his cursor over the sender’s name the real source is revealed: a long email address made up of random letters and numbers ending with “.bd” which is the top level domain for Bangladesh. Others might end with .ca for Canada but, says Don, the top level domain is not much of a clue to the email’s origin since webspace can be bought anywhere in the world.
But if this email sender’s address didn’t raise the recipient’s suspicions then the wording of the email should have done. It read: “You are informed that after reviewing your statements we have figured out that we owe you a tax refund of £265.84 GBP from the last tax year payments. It is our earnest request to you to please collect your refund from us by following the Get Started button you see in the next line.”
“Figured out” is not the usual language of Her Majesty’s tax inspectors, says Don, nor are they likely to issue an “earnest request.” Clicking the Get Started button leads to a web page with familiar HMRC branding, which tricks people into feeling reassured they really are due a tax windfall. All they have to do is fill in their bank account details, including security number, as well as personal information like driving license, national insurance numbers and mother’s maiden name.
Once they click to send the form they find themselves redirected to a web page that is actually the genuine website of their bank, which helps them to trust the process. But after inputting the details there is a shock in store, and not just that the refund won’t materialise. The now-compromised bank account will be accessed and plundered. Meanwhile, the personal information will be sold on the dark web, an area of the internet that requires special software for access and is favoured by criminals because it can be used anonymously. Such personal information will be attractive to anyone engaged in the business of identity theft.
Closing down malicious websites like the one mimicking HMRC’s in the scam is all part of the daily routine for Don and his team. “Sadly,” he says, “this has resulted in criminals using different approaches to deceive the public, including the use of SMS phone text phishing, which we call smishing. The volumes of smishing attacks grew significantly during 2016 and 2017 and evidence shows that people are more than nine times more likely to be duped by phone text attacks than by email because they can appear very credible.”
This is how it works. A text that looks like it’s officially sent by HMRC says you are due a tax refund. A clickable link then leads to a seemingly credible website which requires you to enter your personal banking details in order to receive the refund.
The payment doesn’t materialise, of course. Instead, as with the email scam, money is stolen from the victim’s bank account.
Once a scam is identified and the fake website that harvests taxpayers’ details is closed down, the HMRC makes sure that anyone trying to access it is redirected to its own genuine pages.
Don believes that the reason customers fall for texts more than emails is that they receive phone messages instantly rather than wait to log on to email accounts later.
To counter smishing his team came up with a way of tagging HMRC texts with what are called alpha tags, showing the identity of the sender. “But then the bad guys got cleverer,” Don says. “They realised they could do that as well. They started using the same tags, so effectively you might get a genuine message from us to say it’s time to fill in your tax return, and the criminals were managing to attach messages to the same string. It looks credible and there’s a good chance people will fall for that.”
This was another huge challenge to the Yorkshire cybercrime team, but Don says they were not going to be beaten. “We just rolled up our sleeves again to help protect our customers.”
The result was an innovative scheme to identify any fraudulent texts which looked like they were sent by HMRC, and stop their delivery to mobiles. This pioneering work recently won Don and his team a national award for digital security initiatives.
Unfortunately, HMRC’s success in closing down such frauds has forced some scammers to resort to what Don calls their old “boiler room” method of obtaining money – cold calling by phone. Audaciously, some have even convinced tax payers to pay “overdue” amounts by sending iTunes vouchers to a PO box address. This led to HMRC asking big retailers like supermarkets to alert staff to the scam and query any large purchases of vouchers.
So has Don ever met any of the cyber criminals engaged in scams? “I haven’t, no. We work in the shadows. I might have passed one on the street, but I’ve never knowingly met one face to face.”
Advice on what to look out for
Globally, 978 million victims lost a total of £130bn as a result of cybercrime.
There are things we can do, the experts say. In emails and texts HMRC and banks never include links to verify passwords and account details.
HMRC will never send emails, texts or phone you about a tax rebate or penalty, and never address you as “Dear Account Holder” or with another generic greeting.
Suspicious emails claiming to be from HMRC should be forwarded to firstname.lastname@example.org - Forward suspicious texts to 60599.
If you believe you have been duped by an internet scam, report it immediately to Action Fraud on 0300 123 2040. Ask your bank for specific advice from its cyber fraud unit.