‘Unblockable’ HMRC scam message on iPhones sparks warning

The scam impacts Apple's iMessage service on iPhones. (Getty)
The scam impacts Apple's iMessage service on iPhones. (Getty)

Cybercriminals have found a way to send phishing texts to iPhones that can't be blocked or easily reported.

The scam message, seen circulating on iMessage this month, claims that users are eligible for a tax refund from HMRC, directing victims towards a fake website with a URL with the letters ‘Gov’ and ‘HMRC’.

Appearing to come from GOVUK, the messages are sent via a business account, meaning that users cannot block the messages or forward them to the dedicated Ofcom anti-spam number 7726.

Yahoo News spoke to two cybersecurity experts about how to spot such scams - and what to do if you receive one.

It’s all too easy for criminals to make phishing messages appear to be from a business, warns Erich Kron, security awareness advocate at KnowBe4, and users should never trust a message simply because of the display name.

Kron says that scammers can simply buy 'hacked' business accounts on the ‘dark web’ sites where cybercriminals exchange details such as stolen credit card details, and then change the name to appear to be someone else (in this case GOVUK).

Even if an account has the name of a trusted brand and appears to be a business, it’s still best to remain on your guard around any unusual messages, Kron says.

“Changing the display name in iMessage is a fairly easy process, so it’s very important to never use that as proof of identity," he adds.

Kron says that scammers commonly buy compromised Apple accounts or social media accounts - or steal them from legitimate businesses and then use them to stage attacks.

The scam message appears to come from a government account (Yahoo News)
The scam message appears to come from a government account (Yahoo News)

"One way this may be sent from a business account is if the account has been compromised," he adds. "It is common to see access to compromised Apple accounts for sale on the dark web, and the attackers could use one of these to stage attacks (a common practice in social media as well).

“It is even possible that the account could be compromised by social engineering the password and/or multifactor authentication code from the legitimate account holder, then changing the name to GOVUK and using it to send these messages.”

Criminals commonly impersonate organisations like HMRC and it’s crucial not to place your trust in a display name, says Darren Guccione, CEO and co-founder of Keeper Security.

"Phishing attacks can be launched through virtually any communication medium ranging from email and SMS (smishing) to social media messages and phone calls (vishing)," Guccione said. "A common trick used in these scams is a tactic called “spoofing” in which the scammer attempts to impersonate an individual, organisation or even government entity, by making slight changes in a name or email address.”

The contact can't be blocked (Yahoo News)
The contact can't be blocked (Yahoo News)

The content of the message will usually be a giveaway, with urgency and fear tactics deployed to prompt a response - or a potential payday.

Users should be extremely cautious as a default around any message which promises money or threatens a negative outcome if users don’t react promptly.

Any unexpected text should be treated with extreme caution, especially texts that include a hyperlink - no matter who they appear to be from.

Users should first check the information (i.e. that a tax refund is due) via official channels and avoid clicking any link in the message.

This can include visiting the organisation's official website directly or contacting them through verified means, such as a known phone number or email address, says Guccione.

"In cases where forwarding the text to 7726 (SPAM) is not an option, individuals should not respond to the message, but rather, directly contact the purported sender, which in this instance is GOV.UK," says Guccione. "You can do so by visiting the official GOV.UK website and using the verified contact information available.’