Phishing scams have become increasingly sophisticated, targeting iPhone users with texts that can’t be blocked or easily reported. Recently, a phishing message circulating on iMessage claimed that users were eligible for a tax refund from HMRC, directing victims to a fraudulent website with “Gov” and “HMRC” in the URL. Although these messages appear to come from GOVUK, they are sent via business accounts, making it impossible for users to block or forward them to Ofcom’s anti-spam number 7726.
The Mechanics of Phishing
Fraudsters have found clever ways to disguise phishing messages as legitimate business communications. Erich Kron, a security awareness advocate at KnowBe4, emphasises that users should never trust a message solely based on the display name. Fraudsters often buy hacked business accounts on the dark web, change the display name to a trusted entity like GOVUK, and send out phishing messages. Even if a message appears to come from a reputable source, it’s essential to remain cautious.
Kron explains that changing the display name in iMessage is a simple process, which is why relying on it as proof of identity is risky. Fraudsters commonly purchase compromised Apple or social media accounts or steal them from legitimate businesses to stage their attacks. Once they gain access to these accounts, they can send phishing messages under the guise of a trusted entity.
The Role of Social Engineering
Another common tactic is social engineering, where fraudsters manipulate individuals into revealing their passwords and multifactor authentication codes. Once they have this information, they change the account name to something trustworthy like GOVUK and use it to send out phishing texts. This method is particularly effective because the messages appear legitimate.
Phishing attacks can be delivered through various communication mediums, including email, SMS (smishing), social media messages, and phone calls (vishing). Darren Guccione, CEO and co-founder of Keeper Security, points out that a common trick used in these scams is “spoofing,” where fraudsters make slight changes to a name or email address to impersonate a trusted entity. These messages often contain urgent language designed to elicit a quick response.
How to Protect Yourself
It’s crucial to remain vigilant and treat any unexpected message with extreme caution, especially if it promises money or threatens a negative outcome. Here are some key steps to protect yourself from phishing scams:
- Verify the Source: Always check the information through official channels. For example, if you receive a message about a tax refund, visit the official HMRC website directly or contact them through verified means.
- Avoid Clicking Links: Never click on links in unexpected messages. Instead, navigate to the website manually or use a known phone number or email address to contact the organisation.
- Report Suspicious Messages: If you receive a suspicious message and cannot forward it to 7726 (SPAM), do not respond. Instead, contact the purported sender directly using official contact information.
Staying Informed and Aware
Phishing scams often begin with a seemingly harmless email or text message, but they can lead to devastating consequences. Many victims have lost their entire life savings to these types of scams. This highlights the critical importance of remaining vigilant. Fraudsters frequently use scare tactics, such as threatening fines or imprisonment, to pressure individuals into making hasty decisions.
If you encounter any suspicious communication, it’s crucial to ignore it and conduct your own investigation into its legitimacy. Always verify the source through official channels, and never provide personal information in response to unsolicited messages. Staying informed and cautious can help protect you from becoming a victim of phishing scams.
