As many know, the United States had its decennial (every ten years) census in 2020, helping determine and record population statistics all over our country; questions around race, sex, and household size were collected amongst many other bits of demographic data. The United Kingdom (UK) similarly, does their census decennially, but theirs took place in early 2021. The main difference between the US and UK censuses is that in the US, citizens can decline to participate, while in the UK, the law requires participation. With any requirement, citizens are ripe for an attack with phishing attack threats the primary social engineering tactic used. Read on to find out what happened in the UK.
In the US, we can decline to answer the decennial survey without penalty. However, in the UK, they are required to fill out and send back the document or face a £1,000 fine along with a criminal record. Luckily for UK residents, they’ve made it extremely easy, sending 16-digit codes to each residence so they can complete it online during the pandemic. Residents were required to fill out the form by March 21st, 2021, or face those penalties.
Knowing UK’s people have these penalties, especially financial penalties, hackers sought to exploit users with some extraordinary social engineering mischief. Here’s how.
If you’re amongst those who haven’t finished off their census submissions yet, make sure you don’t fall victim to fraudulent “census reminder” messages sent out by hackers. Cybercriminals are taking advantage of the fact that the census is online, trying to phish users out of data that they wouldn’t hand over otherwise.
Here’s an example of a census scam that was sent into the cybersecurity team, a fraudulent text message (SMS) ‘alert’ about finalizing your census submission:
The first tip, check the URL of all text messages before clicking. Here you will notice the URL did not end in ‘.gov.UK’, which is the expected UK government-controlled website domain. URLs that end in ‘.com’ are extremely easy to get, often going for a few dollars a month. Purchasing domains that end in ‘.Gov.UK’ are very difficult (but not impossible), as with most government domains. What’s tricky is if you aren’t paying attention to the URL you can be easily tricked, no matter how technically inclined you may be. Look below at the examples provided:
Instead of the 16-character code, the false form asks for a postal code instead. The questions that the hackers ask you if you do put in a postal code look just like real census questions, on a site that looks like the real deal. The problem is that everything you reveal about yourself and your household goes directly to the thieves, not to the Office for National Statistics.
The criminals did make some grammatical mistakes in their forms that a native speaker of English might notice, and these would be another giveaway, along with the fake domain name, but the crooks have mimicked the UK Office for National Statistics “look and feel” very believably. Unfortunately, if you answer a few questions before you realize it’s a scam, the hackers will still have all the answers you’ve entered up to that point. It’s worth taking extra time to check your online surroundings before you put in any data at all.
Phishing and Smishing attacks aren’t going away anytime soon, it’s vital to stay secure both in your business and your personal life. CyberHoot recommends to help stay secure in your day to day lives online:
Sources:
Additional Readings:
Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.
Stop tricking employees. Start training them. Take Control of Your Security Awareness Training with a Platform...
Read moreA recent discovery by cybersecurity firm Oligo Security has unveiled a series of critical vulnerabilities in...
Read moreGet sharper eyes on human risks, with the positive approach that beats traditional phish testing.