UK Census Smishing Attack

6th April 2021 | Blog, Sticky

As many know, the United States had its decennial (every ten years) census in 2020, helping determine and record population statistics all over our country; questions around race, sex, and household size were collected amongst many other bits of demographic data. The United Kingdom (UK) similarly, does their census decennially, but theirs took place in early 2021. The main difference between the US and UK censuses is that in the US, citizens can decline to participate, while in the UK, the law requires participation. With any requirement, citizens are ripe for an attack with phishing attack threats the primary social engineering tactic used. Read on to find out what happened in the UK.

Census Penalties

In the US, we can decline to answer the decennial survey without penalty. However, in the UK, they are required to fill out and send back the document or face a £1,000 fine along with a criminal record. Luckily for UK residents, they’ve made it extremely easy, sending 16-digit codes to each residence so they can complete it online during the pandemic. Residents were required to fill out the form by March 21st, 2021, or face those penalties.

Knowing UK’s people have these penalties, especially financial penalties, hackers sought to exploit users with some extraordinary social engineering mischief. Here’s how.

Smishing Texts

If you’re amongst those who haven’t finished off their census submissions yet, make sure you don’t fall victim to fraudulent “census reminder” messages sent out by hackers. Cybercriminals are taking advantage of the fact that the census is online, trying to phish users out of data that they wouldn’t hand over otherwise.

Here’s an example of a census scam that was sent into the cybersecurity team, a fraudulent text message (SMS) ‘alert’ about finalizing your census submission:

The first tip, check the URL of all text messages before clicking. Here you will notice the URL did not end in ‘.gov.UK’, which is the expected UK government-controlled website domain. URLs that end in ‘.com’ are extremely easy to get, often going for a few dollars a month. Purchasing domains that end in ‘.Gov.UK’ are very difficult (but not impossible), as with most government domains. What’s tricky is if you aren’t paying attention to the URL you can be easily tricked, no matter how technically inclined you may be. Look below at the examples provided:

Instead of the 16-character code, the false form asks for a postal code instead. The questions that the hackers ask you if you do put in a postal code look just like real census questions, on a site that looks like the real deal. The problem is that everything you reveal about yourself and your household goes directly to the thieves, not to the Office for National Statistics.

The criminals did make some grammatical mistakes in their forms that a native speaker of English might notice, and these would be another giveaway, along with the fake domain name, but the crooks have mimicked the UK Office for National Statistics “look and feel” very believably. Unfortunately, if you answer a few questions before you realize it’s a scam, the hackers will still have all the answers you’ve entered up to that point. It’s worth taking extra time to check your online surroundings before you put in any data at all.

What Can You Do?

Phishing and Smishing attacks aren’t going away anytime soon, it’s vital to stay secure both in your business and your personal life. CyberHoot recommends to help stay secure in your day to day lives online:

Train employees on cybersecurity basics, helping them become more aware of the threats they face when interacting online. (Phishing, Smishing, Social Engineering)
Periodically Phish Test Employees (at least annually, but preferably quarterly or monthly)
Be wary of public, unsecured WiFi (use a VPN if dealing with sensitive information)
Guide employees with cybersecurity policies, following NIST Guidelines (WISP, Acceptable Use, Password Policy, etc.)
Employ a Password Manager, require it in your Password Policy, demand strong password hygiene in your employees and business
Enable Two-Factor Authentication wherever possible and especially on all Internet-facing services you use (O365, Salesforce, Finance apps. etc.)
Work with your IT staff or third-party vendors to ensure your critical data is being encrypted at rest and in transit (ensure keys are strong and passwords long)
Regularly back up critical data following the 3-2-1 methodology
Use the principle of least privilege
Patch your systems regularly and triage critical vulnerabilities using a repeatable process with established timelines based upon threat levels
Stay current with the always-changing cyber threats
Consider hiring a virtual Chief Information Security Officer (vCISO)

By implementing these measures in your business or your personal life, you’ll become more aware and more secure. You can take comfort knowing you’re prepared for these attacks.