Users in the UK should be on the lookout for census-themed phishing attacks, according to Paul Ducklin at Naked Security. Participating in the census is mandatory in the UK, and people who didn’t complete the census by the March 21st deadline will begin receiving warning letters informing them that they could be fined £1000 if they fail to send in their form.
Cybercriminals are taking advantage of this by sending text messages telling recipients that their census application is missing information. This ensures that even people who have completed the census will want to click the link. The link leads to a convincingly spoofed phishing site designed to steal their personal information.
Ducklin offers the following recommendations to help people spot phishing scams:
“Check the domain name on websites carefully. UK government sites should end gov.uk. It’s hard for crooks to get control of one of those – they can’t just be bought online like .com domains can. Also, watch out for domain names where the left hand end looks legitimate, but the right-hand end says that it belongs to someone else, as in a name like census.gov.uk.example.com. The person who owns example.com also owns and can use all domain names that end with that name, not just plain example.com itself.
“Don’t use links in text messages or emails. The Census 2021 website is well-known and easy to find through reliable sources, including printed on the Census snail-mail you ought to have received. If you find your own way to a website where there is supposedly an “issue”, you won’t get suckered by fake links – whether that’s a “problem” with your bank, a “missed” home delivery or an online “order” you never actually placed.
“Be extra cautious of links in text messages (SMSes). Text messages are short, simple and often written in abbreviated English, so the crooks are much less likely to make spelling and grammatical errors that might otherwise tip you off.”
New-school security awareness training can help your employees recognize red flags associated with social engineering attacks. And keep a careful eye on text messages: they’re not all LOL.
Naked Security has the story.