Fake DVLA SMS tricking UK residents into sharing payment card info

SMS messages made to look like they are coming from the Driver and Vehicle Licensing Agency (DVLA) are being flung at UK residents, in an attempt to trick them into sharing sensitive information.

Even though it looks like it should take the recipients to an official .gov.uk domain, the link points to a website that is just made to look like the real thing.

The victims are first told that they are due for a vehicle tax refund, then pointed to a page where they are instructed to enter their personal and payment card information. Again, the fake page really does resemble a bit the official DVLA one.

“If you sell or scrap a car, any tax you paid in advance for the current year will be refunded automatically, so many people will be familiar with getting money back from Swansea [home city of the DVLA]. Some people may very well have had trouble getting their refund, for example if there was a problem with the bank account from which they originally paid in the money, or if they aren’t at the address on record at the DVLA, causing the refund cheque to be returned undelivered,” Sophos researcher Paul Ducklin explained why the scammy SMS could fool many.

Scammers have really become experts at tricking people into parting with sensitive information or downloading malware.

They know which emotions can be best exploited to get the targets to respond, and are successfully leveraging already leaked personal information to effectively personalize scam messages and emails.

As always, users are advised never to follow links received in electronic communications.

If in doubt whether an attention-grabbing SMS or email is legitimate or not, a check can be easily made by picking up the phone and calling the agency that supposedly sent it. Just remember not to use any contact information that has been supplied in the email, but find it yourself through alternative channels.