Fraudsters using legacy Sendgrid services to carry out HMRC phishing scam

Online fraudsters are leveraging legacy Sendgrid accounts to enable their phishing emails to bypass spam filters and email security solutions in an attempt to dupe people into sharing their personal and financial information.

Sendgrid is a popular could-based email marketing solution, allowing individuals and organisations to send out bulk marketing emails, shipping notifications, and newsletters to a large number of recipients without having to own an email server. Owned by Twilio, Sendgrid also allows its users to send SMS, voice, and push notifications to recipients as well.

According to a security researcher who spoke to Bleeping Computer recently, fraudsters are now carrying out a highly-effective phishing campaign that involves the use of malicious domains that spoof those of the HMRC and Gov.UK and the use of legacy Sendgrid accounts to bypass spam filters and email security solutions.

Fraudsters are using malicious domains, that look very much like the HMRC and Gov.UK websites, to ask people to fill in their personal and financial information in forms in order to benefit from various government schemes such as the Self-Employment Income Support Scheme.

Information requested via these domain-spoofing websites includes the names, dates of birth, addresses, driving license numbers, driving license issue and expiry dates, national insurance numbers, passport numbers, and expiry dates, and Unique Taxpayer Reference (UTR) numbers of targeted victims.

Links to these fake domains are included within well-curated phishing emails that appear to come from the HMRC itself. According to the security researcher, these phishing emails are finding their way into people’s inboxes because fraudsters are using legacy Sendgrid accounts to bypass spam filters and email security solutions.

“In this specific case HMRC has a good DMARC record that makes most recipients to just junk them, but when [scammers] spoof other domains that actually have sendgrid in SPF/DMARC it’s much worse.

“To deliver this HMRC phishing campaign to their victims, the attackers spoofed the From email field with the tax collector’s outgoing email address: [email protected]. Because the scammers are using SendGrid’s delivery infrastructure, these emails “went straight through many mail filters,” the researcher said.

When contacted about the HMRC phishing scam, Twilio, the parent company of Sendgrid, said it is aware of the incident and is taking steps to investigate and resolve the problem.

“It is always regrettable when an individual or organisation is the victim of a phishing attack. As a best practice, we encourage users on our platform to take advantage of existing security controls to protect their accounts, such as using 2FA and IP Access Management, and encourage email senders to take full advantage of email authentication technologies to protect their domains from spoofing,” it added.

ALSO READ: 93% of global airlines leaving travellers vulnerable to email fraud