New Delhi: The country’s premier cyber security agency, CERT-In, on Wednesday cautioned against a fraud where fake messages were being sent to people in the name of the Income-Tax Department, which said their refunds were approved. The aim was to steal the recipient’s vital personal details and put them on the dark net “for sale", the agency said.

The warning, which also acts as an advisory, comes at a time when the income-tax returns filing season is on. The Central Board of Direct Taxes (CBDT) has extended the deadline for filing returns to August 31.

Recently, some people wrote on social media platforms that they had received such messages. The Indian Computer Emergency Response Team (CERT-In), the national nodal agency for responding to computer security incidents, said once a person clicked on the SMShing (made of SMS and phishing) link, he/she ran the risk of either his/her personal details being “put up for sale on the dark web" (clandestine web), or their I-T department records being “altered" by misusing their e-filing credentials. The advisory describes ways to identify such messages.

“There have been increased reports of incidents related to fake SMS purportedly from the Income-Tax Department as the filing of tax returns nears. This SMShing campaign uses popular URL (universal resource locator) shortening services such as bit.ly, goo.gl, ow.ly and t.co among others," the agency said. It then goes on to describe the modus operandi of such attacks. “The message in the SMS tells the recipient that their income-tax refund for a certain amount has been approved and will be credited shortly in his/her bank account. This is followed by an incorrect bank account number. The message asks the recipient to verify the given bank account number and if found wrong, visit the shortened bit.ly link given in the message to update his/her bank details. The bit.ly link is leading to phishing web pages. Since the bank account number in the SMS is wrong, a number of recipients are likely to click on the website link. Clicking on the link in the SMS opens a website, which is a lookalike to I-T department’s e-filing website." The recipient is then asked to enter his/her bank details to complete the refund application and enter the login ID and password on the next phishing web page. “The details entered are then harvested as sensitive data by cyber criminals running this campaign for a later use in identity thefts or for putting up for sale on the dark web or for even altering the user’s details in the tax department’s records," it said.

A senior tax official said the department was in touch with CERT-In authorities.

The advisory also gives a list of do’s and dont’s.

Close