Phishing in the name of government

There is a strong risk of people being “phished” in the name of various local or foreign government departments.

This typically happens whenever a new legal requirement or regulation is coming in to play in your jurisdiction or another jurisdiction that you have a “footprint” within. A key example of this that has been happening frequently in some parts of Europe with “clean-air” certification requirements for motor vehicles operated in various European cities. Or there are the recent energy-efficiency or cost-of-living support programs being offered by many a government that may be relevant to you.

The phenomenon also happens around tax season where there are attempts to phish your government’s tax department in relationship to tax refunds or obligations. This becomes intense when there are significant changes to anything to do with income tax, sales tax / VAT / GST or similar taxes and how they are assessed.

Or it could be to do with an incident or transaction that happened locally or on foreign soil, such as a legal action, motor vehicle accident or a purchase. Here, it would be about having to follow through with any necessary homework to close the incident or, perhaps, facilitate a product recall.

Typically the grifters are after your email addresses and passwords for various online services. They may also be after financial details like your credit-card / bank-account numbers or authority to debit money from your main transaction account. As well they are after personal identifying information like your name, address or date of birth so as to facilitate identity theft.

Check that Web link carefully

One thing you have to do is to check the Web link that is being used to link to a resource they are wanting you to view.

Domain names

Most governments use specially-reserved domain suffixes for their online presence such as email addresses or Website addresses. This is worked out with the powers that be that regulate or offer domain names across the Internet. Examples of these include “.gov”, “.gov.au” or “gouv.fr”,

There is an exception to this rule with government-owned enterprises or outsourced government activity. But most of this kind of activity will exist under a nation’s own top-level domain like “.au, .nz, .uk, .de” that is maintained by a national organisation that manages this domain, selling them only to citizens of or organisations chartered in that nation. It also applies to countries that don’t operate a specific government-level subdomain in their Internet domain hierarchy.

On the other hand, there may be an alternative domain name representing the name of the agency or program that is communicated to the public beforehand. You will see this in advertising or public-relations activity ran by that agency or program. This may be common with government enterprises like public transport or with outsourced government efforts.

Link shorteners

Link-shortening arrangements, whether offered by the communications platform or another platform can be used to obfuscate the hyperlink’s domain name. It also affects QR-codes that are used to link to a Website. But they are used with messages sent by SMS/MMS or messaging platforms or material posted on some social media platforms due to the platform not having enough room for a full Weblink.

Typically, when you click on a shortened link, you would be redirected to the main link. Here, you may have the ability to see the full link or at least the domain name that is associated with that link.

In the case of services like Linktree, you would be shown to an intermediary Webpage that shows a list of Weblinks that point to different resources on the ‘Net. These are used for online presences that only tolerate one Weblink, or with QR codes to lead people to a menu of related resources. Clicking on these resources from a Linktree list would have you see the full link or the domain name associated with them.

Smartphones and similar devices

Similarly, mobile browsers or other browsers written for limited user interfaces don’t have an always-visible address bar that shows the URL of the Website you are visiting. Here, it may be a good idea to bring up that address bar to see the Website’s URL when you open the Website.

But the better mobile browsers like Chrome for Android are answering this problem by showing the domain name of the Website you are visiting. Here you can be sure you are visiting the correct Website for the government department.

E-mail addresses

E-mail addresses tend to have a “display address” that is visible to users and the actual email address that points to an email account on an email service. This is typically to allow a person’s or company’s name to be visible in a manner familiar to everyday users even though they have an obscure-sounding account username.

But an email phishing scam can show a display name that appears legitimate at first sight but relates to an account that is different from the display name. This can be an email account that appears to come from a government domain but actually comes from a “.com” or foreign domain.

Most email clients have the ability to show the email address in addition to the display name. Some like desktop email clients will show the email address alongside the display name whereas others may require you to hover the pointer over the display name or, in the case of a touch-based device, dwell your finger on the display name.

Websites and similar online touchpoints

Use of SSL security

Government Websites and similar online touchpoints will use SSL security, preferably with Extended Validation or Organisation Validation SSL. This will be used as a way to authenticate the Website and secure your communication with it.

You will notice this with a key or padlock symbol in the address bar or even see the address bar or address text turn green when you visit the Website. With Organisation Validation SSL, you may see the name of the government department if you, for example, click on the key icon in your browser’s address bar.

This is more so where you are filling in online forms, making payments or submitting identity numbers as part of your online interaction.

Communications standards

The text for genuine government communications will come across in your nation’s official languages including locally-accepted dialects to a standard consistent with proper business communications. This will be of importance with emails or SMS messaging. It is because the source text for a Website or message could be written in one language but translated using Google Translate or another online machine-translation service.

In some cases, a multilingual government site may show more information on one particular language compared to other languages. This may be due to the public servants being more confident with that language and resisting the want to “pump” the text through machine translation or submit more work to translation services. Similarly, there may be more relevant resources that are native to that language such as the German-speaking part of a Swiss government Web site referring to extra resources available in Germany.

The logos, colours and other trade dress on that site should be current to what the government department is using in their public communications. This is important whenever the department underwent a significant branding change or there was an official restructure that took place.

How are transactions settled

Payments to government departments are to be settled in the jurisdiction’s common legal tender i.e. the local currency used for daily transactions. That means you shouldn’t see a debt being raised in US Dollars or Euro if the country doesn’t use these currencies as local currency. Nor should you see these debts being raised in cryptocurrency units like Bitcoin.

The method of payment is to be a domestically-accepted or regionally-accepted electronic-funds-transfer mechanism where the money is directly transferred out of your bank account. This may include a similar platform like Australia’s Government EasyPay that is set up by the public service to receive government payments. You may find that some governments may implement the common payment cards as a legitimate payment means for some personal transactions.

But you shouldn’t be using payment methods like gift cards; prepaid disposable debit cards; wire transfers like MoneyGram and Western Union Money Transfer; or cryptocurrency to settle these debts. Scammers prefer these means because there is no traceability that can facilitate investigations or ability for customers to have the transactions reversed.

What do you do

Don’t click the link or use the contact details in the message that the phishers have sent you. Instead, contact the government department via their official email address or phone number if you receive a message in the name of that department in order to confirm the veracity of the situation in the message.

Don’t click the link or use the contact details in the message that the phishers have sent you.

Here, you manually enter the department’s URL in to the address bar on your Web browser or use Google or Bing to search for it if you don’t know that URL. The result you should use in the search engine is the first one that isn’t an ad. This is because scammers can buy a search ad to promote their phishing Webpage on popular search engines. You may even find that privacy-focused search engines like DuckDuckGo may yield the proper results with the official page listed at the top.

The “Contact Us” or “About Us” page will list official emails that the government department uses alongside other contact details and, perhaps, a Webform for this purpose. It may also include the phone numbers associated with that government department, typically a “wide-area” number like a toll-free, fixed=price or few-digits number, answered by a receptionist, switchboard operator or auto-attendant setup.

You may find that an e-government app that you have on your phone may come in handy for looking up contact details. Here, you would have ended up with one of these apps on your phone as part of your government’s COVID-safe measures or as part of an effort by your jurisdiction to head to a “switched-on” posture.

The government department’s Website will be likely to yield information about how you can verify the authenticity of a message you received from them or report phishing attempts. You may even see information on the government department’s site about these attacks if they have been subject to a rash of phishing attempts in their name.

If this message emanates from a foreign government, it may be something that requires consular assistance to verify its legitimacy or further the transaction, Here, you may have to check with that nation’s embassy or consulate or your government’s foreign-affairs department about what they are asking for.  They may also put you in touch with official translators when you want to translate official documents or it may be about identity verification or document authentication for international transactions.

That situation may come in to play for those of us who regularly travel between or have business dealings with different countries and leave a “digital footprint” with other countries’ governments. It would be more common where the countries have land borders or are accessible by a short affordable journey.

What can be done?

As we install e-government apps on our phones, these apps could facilitate a verification or authentication mechanism for government correspondence. Here, you could be doing something like clicking on a verification link in an email or message if you receive it on the same device as the app or scan a QR code on the message or Website in order to verify its authenticity.

Similarly, increasing the use of device-based password-free authentication in online government services could come in to its own to prevent citizens’ online accounts being phished.

Conclusion

The goal is to be patient about how you handle that message that comes in from the government and take time to verify its authenticity using the government department’s official contact points that you find from locally-respected information sources.

Leave a Reply