Cybercriminals must be rubbing their hands in glee that the pandemic still has a grip on the world. They jumped on people’s fear as soon as news broke and have continued to exploit it ever since.

The latest scams are spoof emails pretending to be from the UK Government or the IRS in the USA. These phishing emails use one of the oldest tricks in the book, luring you in with claims that you’re entitled to a tax refund – this time because of coronavirus.

It’s a cunning trick because so many people are facing the strain financially and the ‘news’ that they’re entitled to a rebate because of hardship can tempt them to click the link.

Of course, like all phishing emails, the links take you to a web page where the victim enters their name, address and other personal details (or social security number and photo ID details) – enough for criminals to steal their identity, open bank accounts and apply for credit.

What usually happens is that the details are sold for a premium price on the dark web so they can be used for money laundering, and the police will come after you for the crimes.

Fake HMRC website

The research team at NortonLifeLock Labs have seen many examples of these emails, including the one above which is supposedly from the UK’s HRMC which claims “the government has established a tax refund programme for dealing with the coronavirus outbreak”.

If you fall for this scam, which comes from ‘[email protected]’ you’ll be taken to the convincing page below which ask you to enter your full name, email and date of birth. These fake websites will ask for your bank or card details (including three-digit security code) so the refund can be paid to you.

Fake HMRC website
Image: NortonLifeLock

But this, as the team at NortonLifeLock say in a blog post should be a major red flag. Governments never ask you to confirm these sorts of details for a payout.

Ultimately, this is simply a new twist on an age-old scam and the advice to avoid getting caught out is the same as ever:

  1. Check the sender of the email, look at the language used (most are crudely put together and don’t address you personally)
  2. Look at what it’s actually saying. Check if what’s being offered is true: get in touch with HMRC or IRS independently and find out if you are really due a refund or not.
  3. Hover over any link to see what website it’s going to take you to. Check the correct URL for any government or financial service and compare them to see if it’s genuine or not.
  4. Avoid entering personal information unless you are absolutely sure the website is the real deal.
  5. Don’t give out personal information on the phone, don’t reply to emails or text messages that you weren’t expecting.
  6. Use good security software which can warn you of dangerous and fake websites before you visit them or enter any personal details.

It's usually quite obvious if the website is fraudulent as the URL won't match the genuine one. For HMRC, that's https://www.gov.uk/ and for the IRS it's https://www.irs.gov/. Go to those sites and navigate to sign in or whatever information you require.

The team at Norton have put together these lists of sites to watch out for. Note that they've been modified here so they're not real links, so you can't accidentally click on them.

HMRC URLs
  • hXXp://mail[.]lockdown-support[.]org/refund/index?code=2
  • hXXps://gov[.]pandemic-recovery[.]org/covid-19/Login[.]php?
  • hXXps://govuk-alerts[.]net/refund/index?code=2
  • hXXps://govlockdown[.]org/refund/index?code=2
  • hXXps://govlockdown[.]com/refund/index?code=2
IRS URLs
  • hXXp://covid-stimulus[.]org/
  • hXXp://disvey[.]ir/authcovid-19reliefgov/?labor_department
  • hXXps://routerbotic[.]com/irs-corona-payment-monthly/
  • hXXps://snreklame[.]com/mobile-authcovid-19gov/?labor_department
  • hXXps://irsfgov[.]com/

Hacking banks or your computer is much harder than ‘hacking’ you, which is why this type of scam is becoming more and more common. You are the weakest link in the security chain and while security software does a great job of combatting viruses and other internet nasties, it can only go so far in warning you that it’s not a good idea to click on links in emails or start handing over your card number on the phone.

Simon Edwards, CEO of SE Labs, says that it's really quite simple to protect yourself. "People are very clever, which is why we spot unusual things really well. Technology can be abused to confuse us, such as hiding a website's real address, but generally we can 'smell a rat'. Unfortunately, the attackers are really devious too. And highly motivated. They know as well as any psychologist how we tick and how to tap into our weaknesses. And they know how to use computers to catch out even the most wary."

"The simplest and most effective advice is to manually type in web addresses. It's less convenient than clicking on a link sent to you by email or SMS, but if you want to visit websites belonging to HMRC, the Home Office or your bank then a quick search on Google will give you the obvious pages to visit. Save them to your bookmarks if you're likely to visit again anytime soon. A password manager can add some convenience to this way of working."

Related articles for further reading