UK Census Smishing Attack

6th April 2021 | Blog, Sticky UK Census Smishing Attack


As many know, the United States had its decennial (every ten years) census in 2020, helping determine and record population statistics all over our country; questions around race, sex, and household size were collected amongst many other bits of demographic data. The United Kingdom (UK) similarly, does their census decennially, but theirs took place in early 2021. The main difference between the US and UK censuses is that in the US, citizens can decline to participate, while in the UK, the law requires participation. With any requirement, citizens are ripe for an attack with phishing attack threats the primary social engineering tactic used. Read on to find out what happened in the UK.

Census Penalties

In the US, we can decline to answer the decennial survey without penalty. However, in the UK, they are required to fill out and send back the document or face a £1,000 fine along with a criminal record. Luckily for UK residents, they’ve made it extremely easy, sending 16-digit codes to each residence so they can complete it online during the pandemic. Residents were required to fill out the form by March 21st, 2021, or face those penalties. 

Knowing UK’s people have these penalties, especially financial penalties, hackers sought to exploit users with some extraordinary social engineering mischief. Here’s how.

Smishing Texts

If you’re amongst those who haven’t finished off their census submissions yet, make sure you don’t fall victim to fraudulent “census reminder” messages sent out by hackers. Cybercriminals are taking advantage of the fact that the census is online, trying to phish users out of data that they wouldn’t hand over otherwise.

Here’s an example of a census scam that was sent into the cybersecurity team, a fraudulent text message (SMS) ‘alert’ about finalizing your census submission:


uk census smishing

The first tip, check the URL of all text messages before clicking. Here you will notice the URL did not end in ‘.gov.UK’, which is the expected UK government-controlled website domain. URLs that end in ‘.com’ are extremely easy to get, often going for a few dollars a month. Purchasing domains that end in ‘.Gov.UK’ are very difficult (but not impossible), as with most government domains. What’s tricky is if you aren’t paying attention to the URL you can be easily tricked, no matter how technically inclined you may be. Look below at the examples provided: 


Instead of the 16-character code, the false form asks for a postal code instead. The questions that the hackers ask you if you do put in a postal code look just like real census questions, on a site that looks like the real deal. The problem is that everything you reveal about yourself and your household goes directly to the thieves, not to the Office for National Statistics.

The criminals did make some grammatical mistakes in their forms that a native speaker of English might notice, and these would be another giveaway, along with the fake domain name, but the crooks have mimicked the UK Office for National Statistics “look and feel” very believably. Unfortunately, if you answer a few questions before you realize it’s a scam, the hackers will still have all the answers you’ve entered up to that point. It’s worth taking extra time to check your online surroundings before you put in any data at all.

What Can You Do?

Phishing and Smishing attacks aren’t going away anytime soon, it’s vital to stay secure both in your business and your personal life. CyberHoot recommends to help stay secure in your day to day lives online: 

  • Train employees on cybersecurity basics, helping them become more aware of the threats they face when interacting online. (PhishingSmishingSocial Engineering)
  • Periodically Phish Test Employees (at least annually, but preferably quarterly or monthly)
  • Be wary of public, unsecured WiFi (use a VPN if dealing with sensitive information)
  • Guide employees with cybersecurity policies, following NIST Guidelines (WISP, Acceptable Use, Password Policy, etc.) 
  • Employ a Password Manager, require it in your Password Policy, demand strong password hygiene in your employees and business 
  • Enable Two-Factor Authentication wherever possible and especially on all Internet-facing services you use (O365, Salesforce, Finance apps. etc.)
  • Work with your IT staff or third-party vendors to ensure your critical data is being encrypted at rest and in transit (ensure keys are strong and passwords long)
  • Regularly back up critical data following the 3-2-1 methodology
  • Use the principle of least privilege 
  • Patch your systems regularly and triage critical vulnerabilities using a repeatable process with established timelines based upon threat levels
  • Stay current with the always-changing cyber threats
  • Consider hiring a virtual Chief Information Security Officer (vCISO)
By implementing these measures in your business or your personal life, you’ll become more aware and more secure. You can take comfort knowing you’re prepared for these attacks.

To learn more about Smishing, watch this short video:

Sources:

NakedSecurity – Sophos

Smishing – Cybrary

Additional Readings: 

PayPal Smishing Attack

Smishing, The New Phishing

Latest Blogs

Stay sharp with the latest security insights

Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.

CyberHoot Newsletter – June 2025

CyberHoot Newsletter – June 2025

CyberHoot June Newsletter: Stay Informed, Stay Secure Welcome to the June edition of CyberHoot’s newsletter,...

Read more
Make Phishing Training Count with HootPhish

Make Phishing Training Count with HootPhish

Stop tricking employees. Start training them. Take Control of Your Security Awareness Training with a Platform...

Read more
Apple Alert: Critical AirPlay Vulnerabilities Expose Millions to Cyber Threats

Apple Alert: Critical AirPlay Vulnerabilities Expose Millions to Cyber Threats

A recent discovery by cybersecurity firm Oligo Security has unveiled a series of critical vulnerabilities in...

Read more