Every year, taxpayers in India are busy collating all information that is required to file their income-tax returns (ITRs) before 31st July. Radhika (name changed) also filed her ITR before the due date. However, she was shocked to receive an email informing her that her tax payment had been frozen and refunded to her bank account and that she should open the link (in the email) for the payment challan. After checking the sender's name and email ID, Radhika realised this was nothing but a phishing mail. She blocked the sender and permanently deleted the mail.
In another case, Swathi, a student, received a mail from 'Office Of The Commissioner Of Police' about a criminal action against her for turning her 'official or private internet to a juvenile pornographic movie cyber'. When she shared the communication with me, I found that it was the same fake and bogus phishing email that has been doing the rounds for the past few years. She was relieved to hear from me that she had nothing to worry about from the police for any non-existent 'crime'.
These are just two examples of the renewed spate of fake and bogus phishing emails that regularly hit our phones and inboxes. The maximum number of phishing emails emanate in the name of the 'tax department', including income-tax (I-T), goods and services tax (GST), or even the customs department. It happens a lot more around tax filing deadlines or when tax refunds are expected. Another set of fraud emails pretends to be from government departments, especially the police or well-known companies.
Phishing attacks have emerged as a good tool to deceive individuals into divulging sensitive information such as login credentials, bank details, credit card and other sensitive data. In turn, they can lead to financial loss, identity theft, and even legal consequences for the victims.
The emails are signed in the names of incumbent or immediate heads of government departments to enhance their apparent authenticity. The reason is simple—phishing emails related to tax or criminal cases are especially insidious because they prey on the natural anxiety people feel about legal or financial trouble.
That is the first alarm bell for the recipient since none of the chiefs of the tax department send emails to end users. These tasks are handled by the officer concerned with the recipient's jurisdiction. For example, a taxpayer residing in Thane will receive official communication from the office of the I-T commissioner, Thane or the income-tax officer (ITO) for the concerned I-T ward from Thane. The same applies to official communication from GST or customs departments.
The tax-related email might claim that the recipient owes taxes and must pay immediately to avoid penalties or legal action. Alternatively, it might promise a tax refund and ask for bank account details to process the payment by clicking the link in the email. However, such links lead to fake 'designed' websites that look like official government sites, where victims are prompted to enter personal and financial information.
Some of these phishing scams are downright sloppy. They are careless enough to use the names of multiple government departments in a single email. For example, the email received by Radhika was ostensibly sent from the GST department but was about income-tax. The fraudulent email ID was nowhere related to the GST department or any government department in India. Check the image below.
Some crime-related phishing scams state that the recipient is under investigation for a crime or has a pending legal case. The email may threaten arrest, prosecution, or severe legal consequences unless the recipient acts quickly, often by clicking a link or downloading an attachment to view the supposed 'case details'.
Once the link is clicked or the attachment is opened, malware may be installed on the victim's device, or the victim may be asked to provide sensitive information which is then stolen.
For example, the email received by Swathi has a PDF attachment. However, on looking at the file, I found that the creator had incorporated a jumble of names and logos of Indian law enforcement agencies such as—'bureau of police research & development', intelligence bureau (IB), CBI, Indian cybercrime unit and state cyber cell of the Madhya Pradesh (MP) police. It also has a notary stamp (photo), and readymade stamps like 'certified', 'certified copy' and 'top secret'!
And yet, all that the sender asks is a reply to the 'official court order warning'! Did I tell you that the subject line contains two emojis of the justice balance scale, too? This is another 'red flag' that can help identify phishing emails.
Last month, the I-T department posted a message on X warning taxpayers regarding fake tax refund messages.
This brings us to the most crucial question on identifying and safeguarding from phishing emails.
Here are a few suggestions...
1. Verify the source: Be sceptical of unexpected emails, especially those related to taxes or legal matters. If you receive such an email, do not click on any links or download attachments. Instead, directly contact the organisation mentioned using official contact details found on their website.
Tax authorities and LEAs (law enforcement agencies), including CBI and police, typically communicate through official channels and will rarely, if ever, demand immediate action by clicking a link or email reply.
2. Look for red flags: Phishing emails often contain subtle clues that they are fraudulent. These can include poor grammar, generic greetings (like 'Dear Customer'), or email addresses that do not match the official domain of the supposed sender. For example, the email received by Radhika was sent in the name of GST with an email address of '
[email protected]'. Similarly, the mail received by Swathi mentioned the sender's name as 'Office Of The Commissioner Of Police', and the email ID was '
[email protected]'.
Be cautious with any email that creates a sense of urgency or fear, as scammers commonly use this tactic to pressure victims into acting without thinking.
3. Use technology wisely: Employ spam filters and anti-phishing tools that can detect and block many phishing attempts before they reach your inbox.
Keep your computer and security software up-to-date to protect against malware and other threats.
Enable multi-factor authentication (MFA) on your accounts where possible. MFA adds an extra layer of security.
4. Educate yourself and others: Stay informed about the latest phishing tactics and scams. Cybercriminals continually evolve their methods, so keeping up to date with trends can help you recognise new threats.
Share this knowledge with friends, family, and colleagues to help protect them as well. Many phishing scams rely on exploiting a lack of awareness, so education is key.
5. Report suspicious emails: If you receive a phishing email, report it to the organisation it claims to represent and to the relevant authorities in your country. It can help prevent others from falling victim to the same scam.
Email phishing attacks, particularly those exploiting fears of tax problems or criminal charges, are a growing threat in today's digital landscape. Understanding how these scams work and adopting proactive measures to protect yourself can significantly reduce the risk of becoming a victim.
Remember, the best defence against phishing is a combination of scepticism, education and modern security tools.
Stay alert, and don't let cybercriminals catch you off guard!