As far as the crooks are concerned, yesterday’s “scam that knows where you live” attack was just not enough for people in the UK.
Today, they’re taking the name of the UK’s Motor Registry in vain.
Known colloquially as the DVLA (pronounced deevee-ellay), short for Driver and Vehicle Licensing Agency, it’s based in Swansea in Wales.
The city of Swansea, in turn, is metaphorically associated with things like speeding fines, penalty points, licence renewals… and, from time to time, refunds for overpaid vehicle tax.
Interestingly, the UK no longer issues tax disks to display on a car’s windscreen – there’s so much automated surveillance these days using Automatic Number Plate Recognition (ANPR) cameras that there’s little purpose in having a window sticker to “prove” you’ve paid.
Anyway, if you sell or scrap a car, any tax you paid in advance for the current year will be refunded automatically, so many people will be familiar with getting money back from Swansea.
Some people may very well have had trouble getting their refund, for example if there was a problem with the bank account from which they originally paid in the money, or if they aren’t at the address on record at the DVLA, causing the refund cheque to be returned undelivered.
So an SMS looking like this could easily pass muster:
But look carefully, and you’ll realise that even though the URL contains the sort of components you’d expect in the real thing, notably
gov DOT uk, the end of the server name is actually a domain based in Palau (.PW).
Palau is a tiny Pacific island country of just 20,000 people that uses its short-and-sweet domain names as a source of global revenue. (PW is branded as standing for “Professional Web”, although this particular domain name is anything but.)
If you click through, you’ll see a web page that seems realistic enough at first sight, although the “facts” are bogus (you don’t get offered a refund and then claim it), and both the grammar and style are sub-standard for Her Majesty’s Government:
If you click
[Get Started->], you’re straight into a phishing page that believably asks for sufficiently many personal details that the crooks could fleece you right away if you were to fill them in:
What to do?
- Don’t rely on links to websites sent in emails, SMSs or other forms of electronic message.
Find the official website yourself – for the DVLA, for instance, look it up on an official document you’ve received in the past – and go there of your own accord. (Here’s a free hint for the DVLA: it wouldn’t do any harm to print the DVLA’s official URL somewhere on every UK driving licence, making an excellent and official way to find it.)
- If you’re offered a financial refund, check the official website to find out how refunds really work.
For example, the DVLA issues refunds automatically in one of just two ways: by reversing a Direct Debit, if you have one set up; or by mailing a cheque to the address you have on record.
- Don’t be misled by domain names because they start with the text you expect – it’s the right-hand end that counts.
For example, Sophos owns sophos.com, which means we can use any and all subdomain names that end with that text string, such as partners.sophos.com, nakedsecurity.sophos.com, and so on. Many browsers deliberately highlight the text at the right-hand end, to remind you to look there first.
- If you’re asked for personal data like your address and credit card number on an unencrypted web page, don’t enter it.
Crooks can easily get certificates for HTTPS these days, so just the presence of a padlock in the address bar doesn’t confirm you are at the right site. But the absence of a padlock on a page that wants a credit card is always wrong, even if it’s the right site. (Why trust a company that clearly doesn’t take even the most basic precautions with your personal data?)
- Report scams and dodgy SMSs like this to your mobile operator.
Having real reports and genuine complaints “from the wild” makes it possible for the regulator to take action against scammers who might otherwise get away with it. Some scams are on the grey edge of legality, and it’s community consensus that helps the regulators redefine the boundaries of acceptable text messaging behaviour.
Our parting shots
- When faced with a web link: think before you click.
- When faced with a web form: if in doubt, don’t give it out.