Imagine logging into your bank’s website after responding to a text message claiming you’re due a refund, only to see a warning to watch out for bogus texts:
For those who don’t read Dutch, the warning reads:
Never respond to unusual emails or texts!
Fraudsters often send e-mails under the guise of renewing your debit card or digipas. Never go into that. They refer to websites that are not owned by Argenta. Argenta will also never ask you to provide your card number by telephone because you will allegedly receive a new debit card or digipas.
Do you still receive suspicious messages?
Have you already passed on codes over the phone? Or has money already been withdrawn from your account? Please contact us immediately on (available 24/7 for victims of phishing).
The warning above is genuine, on a real bank’s website. But the warning, in this case, comes too late because this is the last and only legitimate stop in a victim’s passage through a phishing scam.
The bogus SMS trail begins
Here’s one of the suspect SMS messages, as tweeted by Twitter user @ypselon:
it has been decided that you will receive a refund. to receive this amount you can visit our website [url removed]
The text claims to be from “FOD”. This is the Federale Overheidsdienst Financien in Belgium. The suspect URL includes a domain registered just this month (often a red flag), in India, rather than Belgium.
Visiting the site presents you with a message that says:
In order to receive a refund of your personal income tax, you must verify your account so that we can transfer the full amount of €278.35 to the correct account.
It is important to carry out a one-time verification as a check. Afterwards you will receive the amount on your account within a few working days.
For “one-time verification” read “send us money”.
We all love a tax refund so it’s an effective hook to lure in potential victims. Continuing reveals a large assortment of banks commonly used in Belgium.
A slippery phish
The scam site includes customised pages for each popular bank. Some ask for card details, others for account numbers. All are fake, all are trying to hoover up information that can be used to steal your money.
No matter which route you go down, entering your details will neither verify your identity nor secure you a tax refund. But all will leave you poorer and eventually redirect you to your bank’s real website (where you might encounter a warning about falling for scams like the one you’ve just fallen for).
At this point, your only option is to contact the bank for real, and tell them what’s happened. If you’re lucky, you may be able to have them shut things down. If not, days or weeks of hassle might lie in wait.
Faking it to make it
Fake tax refunds are hugely popular. They’re especially rampant during (or immediately following) any tax season. The Federale Overheidsdienst Financien has some advice for avoiding scams like this..
- If the FOD helped you with a tax return the previous year, it may contact you by phone. The organisation warns that if the caller doesn’t know your name; asks for payment for assistance; asks to come to your home; or requests passwords, PINs, email, or address, then you should hang up.
- Report any request to provide confidential data related to banking you receive by email, text, or WhatsApp.
- If you’re asked to make a payment to the FOD directly, check their site because there’s only a limited number of ways to make a payment to an official account.
The post Watch out for this SMS phish promising a tax refund appeared first on Malwarebytes Labs.