The country’s premier cyber security agency – CERT-In – has cautioned against a malicious ‘SMShing’ fraud where fake messages are being sent to people in the name of the Income Tax Department saying their refunds have been approved, with an aim to steal the recipient’s vital personal details and put them on the dark net “for sale”. The warning, that also acts as an advisory, comes at a time when the income tax returns filing season is on and the Central Board of Direct Taxes (CBDT) has sometime back extended the deadline to do till August 31.
Recently, some people wrote on social media platforms that they had received such messages. The Indian Computer Emergency Response Team (CERT-In), the national nodal agency for responding to computer security incidents, said once a person clicks on the SMShing (made of SMS and phishing) link, he/she runs the risk of either his/her personal details being “put up for sale on the dark web” (clandestine web), or even their IT department records “altered” by misusing their e-filing credentials. The advisory describes as to how such fake SMSes could be identified.
“There have been increased reports of incidents related to fake SMS purportedly from Income Tax Department as the filing of IT returns nears. This SMShing campaign uses popular URL (universal resource locator) shortening services such as bit.ly, goo.gl, ow.ly and t.co among others,” it said. It then goes on to describe the modus operandi of such attack.
“The message in the SMS tells the recipient that their income tax refund for a certain amount has been approved and will be credited shortly in his bank account. This is followed by an incorrect bank account number. Message reads to the recipient to verify the given bank account number and if found wrong, then visit the shortened bit.ly link given in the message to update his bank record. “The bit.ly link is leading to phishing web-pages. Since the bank account number in the SMS is wrong, a number of recipients are enticed to click on the website link. Clicking on the link in the SMS, opens a website which is lookalike to the Income Tax Department e-filing website,” it said.
The recipient, the advisory said, is asked to enter their bank details to complete their income tax refund application and then enter their login ID and password on the next phishing web-page. “Thereafter, the details entered by the victim SMS recipient are harvested as sensitive data by the cyber criminals running this campaign for a later use in identity-thefts or for putting up for sale on the dark web or for even altering the user’s details in the Income Tax Department’s records,” it said.
A senior tax department official told PTI that the department is aware of these malicious SMS-based and online attacks on personal taxpayers and others and they are in touch with the CERT-In authorities and have also issued public advisories in this context. The advisory has also stated some do’s and dont’s.
It says, “Do not reply to the suspicious SMS and emails and such social engineering tactics can be identified as these SMS and emails have errors grammatical or spelling errors; even if the SMS or emails came from someone you know, be wary about opening the attachment or click on links as some malicious emails may be spoofing the sender.
“Also, do not click on any links and in case if the hyperlink has been clicked then do not enter confidential information like bank account, credit card details among others; use anti-virus software and a firewall for the mobile device and for every other device used for accessing emails and keep them updated for protection against inadvertently accepting any unwanted files that gets downloaded in the SMShing, phishing links,” it said.