The top 4 official authority impersonation phishing attacks of 2021 range from tax and traffic fine frauds to, as you'll see with number four, some deeply unsettling subject matter. Authority impersonation phishing attacks are nothing new. The topic never gets old and the technique clearly works. These current phishing campaigns are being carried out in numerous languages exploiting numerous official services around the world, from North Carolina to Belgium. The idea is to mimic a governmental authority or something similar in order to set the phishing hook.
Because authority impersonation attacks are dangerous and have spread widely around the world, we decided to compile the top 4 official authority impersonation attacks we have seen through 2021 so far.
The template used in this email is very simple and there's nothing too complex going on: just the Tax Administration logo, a short text, and a link. Thing is, emails from legal authorities are usually quite simple and thus easily imitated. The message states that the user receiving this email has one new important message in the Tax Administration website, and to read the message the user must click on the link below.
Clicking the link sends everything downhill. It redirects the user to a fake skat.dk website that actually looks pretty authentic:
On the website you can see a message saying:
We have corrected your annual statement for DKK 2,602.51 because we have received new information. The change may mean that you have to pay more in tax (residual tax) or have money back.You must therefore check whether the information is correctPress Start to have money back.
Basically you are either required to pay more tax or you'll be getting money back - both options would probably get someone's gears going. The attacker's idea, after all, is to heighten user emotions and make them act on impulse.
Moving forward, the website presents a typical credential harvesting technique where the user is asked to fill in their personal information like social security number, credit card details, user ID and password.
Once those details are submitted, the website pretends to connect to the user’s mobile phone for verification, when in fact those credentials have already been harvested.
This phishing email mimics an official Belgian online service called My eBox used for government document sharing. The idea is the same as in the previous Danish tax phish. You have supposedly received a new message from the Federal Department of Justice, and you need to click this link to see the message.
What adds a little spice to this email is its reference to a “criminal fine” message, and the title also mentions traffic fines. Mysterious fines might get your heart racing, which is exactly what the attacker wants. There is also a sense of urgency in the message as it says you have until 31/08/2021 to read the message, which is the same day that the email was received. This is done to influence the user’s critical thinking, and to make them start acting fast without actually thinking at all.
Behind the link is a credential harvesting site where, if you make a mistake and enter your private information, it collects them and sends them to the attacker.
North Carolina-based SECU, aka State Employees' Credit Union, is the second largest credit union in the United States. This phishing email impersonates SECU and approaches the target in a banking related matter.
The message states that the user’s account has been restricted due to multiple log in attempts. To fix this the user must log in to their account by clicking the link provided in the email. Otherwise the error might lead to permanent restriction of the account. The sense of urgency is created with the statement that the link will expire in 24 hours.
Now, can you already guess where the link will take you? Yes, that’s right; to a credential harvesting website. That is one thing that all of these authority impersonation attacks have in common.
Last but definitely not least, we want to share the most shocking authority impersonation phish that we have seen this fall:
We have seen numerous different variations of this phishing campaign this fall, and it’s safe to say that it has spread aggressively throughout the internet. The content of this email is very dark and you’ll soon understand why. Here’s an example of one of the emails:
This phishing email is referencing a case that has allegedly been brought against the person receiving this email. The message is signed by The Ministry of Justice of France, but it’s actually a phishing email. The European Union Agency for Law Enforcement Cooperation, aka Europol, has also been impersonated in this email, as the attacker is using the real name of one of Europol’s police officers in the signature.One other popular target for impersonation amongst this campaign has been The FPS Justice of Belgium.
The tone of voice in this email is very accusative and domineering. It states that an arrest warrant has been issued against the person receiving this email for some kind of criminal behaviour. To see the full accusation in detail, one must go through the document attached to the email. The email mentions quite ominously “protection of the child,” hinting at what’s to come in the document.
The attached document looks like this:
The content of the document is pretty hardcore, and definitely not for the faint of heart.
The text states that the email recipient has been accused of crimes involving child pornography, pedophilia, exhibitionism, cyber pornography and sex trafficking. The attacker is again using the name of a real, high-ranking Europol officer to make the scam more convincing in case the victim Googles the name.
Attempts have also been made to create a sense of authenticity by adding The Ministry of Justice and Europol logos. There’s also a hand written signature and several fake stamps added at the end of the email. Even so, the attacker is a bit sloppy as they are using a different name in the introduction and the final signature. These kinds of small mistakes are good ways to spot a phishing email.
The email proceeds to threaten legal action if the accused doesn’t respond in 72 hours. We have seen emails in this campaign threaten to:
Seeing these accusations and threats, even knowing you’re innocent, might panic some people. Thinking there’s some kind of tragic misunderstanding, they’ll want to clear their name. Unfortunately, that’s exactly what the attacker wants, to induce their reply.
Replying to the email leads to a scam in which the attacker tries to steal the victim’s financial information and other personal data.
Europol has issued a warning concerning these scams and they are aware that the names of real workers have been used in these emails. Europol has also tweeted that they “would never contact members of the public threatening individuals with opening a criminal investigation.”
Ideally, you will never end up in a credential harvesting website in the first place. To steer clear of credential theft, never click on suspicious links and be careful with links sent directly to your email. If you do suspect that you have ended up on a credential harvesting site, this is what to look for:
As we can see, authority impersonations are in popular use amongst scammers. The good news is that you can always contact your local authorities when you are unsure of the legitimacy of an authority-related email.
Keep calm and stay safe everyone!
Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.