Connect with us

Hi, what are you looking for?


Email Security

Tax Phishing Campaign Reminds of DMARC Limitations

April is a time for tax-related phishing scams, and we haven’t been let down this year despite the dominance of COVID-19-themed phishing campaigns. DMARC should stop phishing, right? Not unless the targeted domain itself is spoofed.

April is a time for tax-related phishing scams, and we haven’t been let down this year despite the dominance of COVID-19-themed phishing campaigns. DMARC should stop phishing, right? Not unless the targeted domain itself is spoofed.

Security firm Abnormal Security discovered a phishing email giving a single day for the recipient to respond and claim an outstanding tax rebate from HMRC (the UK tax authority) for ‘550.11 GBP’. The email contains an obfuscated link to a webpage masquerading as a page. That landing page requests full card and bank details in order to progress the refund.

The text of the email is not bad as phishing scams go — with just a few grammatical errors and inconsistencies. These could easily be missed by anyone excited by the chance of gaining more than £500 (approximately $625) and activated by the short lead time. Greed and urgency are two of the classic spurs used by scammers.

The landing page is even more convincing than the email; clear, well laid out and exactly what the victim might expect from a government department. If fooled, the victim will not receive a £550 refund, but would likely lose even more.

What is particularly interesting about this phishing attempt, however, is that HMRC is fully DMARC protected — that is, DMARC is implemented at the strongest enforcement level. The purpose of DMARC is to stop phishing — which it clearly has not done in this example. The reason is that DMARC blocks only phishing emails that pretend to come from the genuine domain. This comprises approximately two-thirds of all phishing attempts; leaving one-third unblocked by DMARC.

After implementing DMARC, HMRC Digital blogged in November 2016, “We have already managed to reduce phishing emails by 300 million this year through spearheading the use of DMARC. It allows us and email service providers to identify fraudulent emails purporting to be from genuine HMRC domains and prevent their delivery to customers.” DMARC works where it is designed to work.

The hidden danger, however, is that the phishers will simply put more social engineering effort into masquerading as an associated domain that could be accepted as genuine. In this instance, the email claims to come from ‘Service-Center-Online-Office-Ref-No [email protected]’. The dot-be suffix is a give-away, since the victim should hardly expect a Belgian domain to be involved with UK tax refunds.

Advertisement. Scroll to continue reading.

Nevertheless, the principle is clear– phishers do not need to spoof the exact domain name if they can use a different domain that might be accepted as reasonable. This may become an unavoidable effect of the increasing use of DMARC to block exact domain name spoofing: criminals will migrate to alternative (but acceptable) domain names that are untouched by DMARC controls.

Related: Threat From Spoofed Emails Grows, While DMARC Implementation Lags 

Related: Nearly 1 Million Domains Use DMARC, but Only 13% Prevent Email Spoofing 

Related: DMARC Use is Growing, But Difficult to Configure Correctly and Completely 

Related: Presidential Candidates’ Use of DMARC Improves, but Short of Optimum

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...