Screenshot from CERT-In's Advisory dated August 7, 2018
With the new deadline of August 31 for filing income tax returns soon approaching, people are receiving fake text messages in the name of the Income Tax Department, asking people to fill in details to avail the refund available to them.
BOOM also received multiple queries regarding these SMSes from readers on its helpline (7700906111). People have also pointed this out on social media in the past.
Today got sms from BZ-ITREFL saying that I got refund from income tax department and I need to verify account no, it's fake , please look into it, other people should fall in this trap pic.twitter.com/ncs7Dwvj1n
— Satish P (@mpsatish) July 11, 2018
But the country's top cyber security agency, Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology, has already issued a warning advising tax payers to exercise caution.
On August 7, CERT-In in its release- Safeguarding from SMShing income tax refund attacks - gave a detailed description of how the message tricks people into clicking the link and extract sensitive data such as bank account details from people.
'This SMShing campaign uses popular URL (Universal Resource Locator) shortening service such as bit.ly, goo.gl, ow.ly and t.co among others.' said the agency. This makes it look that the message is genuine.
The messages include a bank account number 5XXXXX6755 and attempts to lure people with a refund amount. It asks people to verify the account number and to update the bank records if the number is wrong.
CERT-In pointed out how people go ahead and click the link as the account number is wrong. The link directs you to a phishing web page which looks like the Income Tax e-filing website. The agency warned people against filling in the details - bank account number, login id and password- as these can be used for "identity thefts, for sale and to alter user details in income tax records." Below is a screenshot of the fake site as produced by CERT-In. It also includes phishing servers and domains that people should be keeping away from.
Screenshot from CERT-In's Advisory dated August 7
The agency also listed best security practices that people can adopt, such as to not respond to suspicious SMS / emails, click on suspicious links as it may direct you to some phishing website and give away confidential information. It also asked people to report such cases.
The income tax department is also aware of these fraud SMSes and is in touch with CERT-In, reported the Times of India.