Refund phishing scam hits nation’s mailboxes

Published: August 16, 2019
FBR chief says agency does not send refund emails, warns citizens to be vigilant. PHOTO: REUTERS

FBR chief says agency does not send refund emails, warns citizens to be vigilant. PHOTO: REUTERS

LAHORE: Hackers and cybercriminals are tricking people into sharing sensitive bank details by sending scam tax refund emails from accounts claiming to be operated by the Federal Board of Revenue (FBR).

Sources said that the scam is being used to steal large amounts of money from the bank accounts of victims that follow the instructions in the emails sent by a gang of hackers, adding that millions of people have received such emails asking for bank and other personal details so that their refunds can be deposited by the FBR.

FBR amends rules for ‘resident Pakistani’

The scam is a classic case of phishing – a fraudulent attempt to obtain sensitive information by posing as a trustworthy entity. Attackers typically use email spoofing or instant messaging, to send messages to a large number of people. They usually direct recipients to enter personal information on a fake website which matches the look and feel of the legitimate site.

The scammers hope that by casting a wide net, they can catch at least a few ‘fish’. FBR Chairman Shabbar Zaidi flatly termed the emails fake. He warned that the tax collection agency does not send emails for refunds.

Speaking to The Express Tribune, he warned people who received such emails to avoid opening them or clicking the links and sharing any sensitive information with them.

Meanwhile, the Federal Investigation Agency’s (FIA) cybercrime cell has taken notice of the fake emails and has begun searching for the suspects.

Emails with the sender claiming to be the FBR and Tax Refund Notice 2019 in the subject line began pouring into mailboxes across the country a few days before Eid.

The text of the body claims that the receivers will supposedly get tax refunds according to the FBR’s records and asks that the receiver click a link to claim the refund. The refund amount, however, varies from email to email.

The emails further say that the FBR is obliged to pay refunds on time, so complete and correct information should be provided without any delay. The emails often end with a ‘virus-free’ declaration. If the link is clicked, a web page bearing the logos of various banks opens up. The text and design of the page are clean enough to appear authentic, although tech-savvy users will notice that the URLs for these pages are dead giveaways that this is a scam.

Many people less familiar with the internet may not notice that the website they are on is not or some other secure Pakistani government website. After clicking the logo of any bank, a questionnaire asking for sensitive bank details appears.

Scores of such complaints have been received by the FBR and other government agencies, according to sources at the Ministry of Finance. FBR Chairman Zaidi said that the FBR has also informed the FIA in writing about the scam.

FIA Cybercrime Cell Lahore in-charge Chaudhry Sarfaraz said that action on the complaints will be taken in the coming week. “The crime falls under Section 24/20 of the Prevention of Electronic Crimes Act, 2016 and carries a three-year jail term.”

ID card condition will stay, says FBR chief

The officials reminded that fake emails sent by hackers and cybercriminals from the FBR and other institutions can make anyone fall victim to the scam. People should not provide bank details or click the links in such cases. Instead, they should immediately report the fraudulent emails to the cybercrime cell online or by phone.

Published in The Express Tribune, August 16th, 2019.

Like Business on Facebook, follow @TribuneBiz on Twitter to stay informed and join in the conversation.

Facebook Conversations

More in Business