Convincing new TV licensing scam targets UK residents: warning

Published by on November 8, 2018 in Information Security

Some UK residents are receiving phishing emails purporting to be from the country’s TV licensing department. The fraudulent email states that the receiver’s billing information records are out of date and need to be updated. The email includes a prominent link to a near-identical clone of the real TV licensing website.

tv license scam email

Victims who fall for the scam give up a lengthy list of personal and financial information:

  • Full name
  • Date of birth
  • Address
  • Phone number
  • Email
  • Mother’s maiden name
  • Credit or bank card number and details
  • TV license account number

Once the victim submits this information, it goes straight to the scammers. The credit card information is probably most valuable to the criminal, as it can be used for direct financial gain. The other information could be used for identity fraud. The mother’s maiden name, in particular, remains a common if insecure means of verifying an account holder’s identity.

The UK’s TV licensing department never receives anything on its end, and there’s little recourse for victims who fall for the scam.

If you receive such an email, you should delete it. If you’d like, you can first report it to the authorities.

The scam is reminiscent of a similar phishing campaign in September wherein the email claimed victims were owned a refund or that their payment hasn’t gone through.

How to spot the phishing email

Here are some tips for spotting the UK TV License phishing email:

1. Check the email domain

tv license scam email 2

The email address is associated with the domain servicelive.com, which appears to be a house call service for handymen employed by Sears in the US. We suspect the email account or the email server was hacked. Scammers might prefer to use a hacked legitimate domain for phishing because the emails are less likely to get blocked by a spam filter.

enquiries0255@omp.contact.servicelive.com

Never trust display names, as these can be changed to anything at will. The display name in this case was “TV Licensing”.  This tactic is particularly effective on mobile email apps, which might not show the actual email address:

TV Licensing phishing email

2. Check the URL

Ideally, you should never click on links in unsolicited emails. Instead, you can hover your mouse over the link (or long-press on a smartphone) to see the plain text URL at the bottom of your browser window

The phishing URL includes several subdomains to obscure the fact that it’s not the real TV licensing site. Making domains excessively long is very effective against mobile users who can’t view the entire thing in their URL bar. The link in the email goes to:

http://www.cos.co.za/hman/bbc.tvlicensing.update.your.details.co.uk.html?email=victimemail@hotmail.co.uk

… and immediately redirects to …

http://www.tvlicensing.co.uk.update.your.details.online.database741727882.skeercbc.com

The genuine site is:

https://www.tvlicensing.co.uk/

The phishing URL contains two clues that should cue you into the fact that it’s fake. The first is the lack of HTTPS, which indicates that the site doesn’t have a valid SSL certificate. HTTPS ensures that all the data sent between the site and your device is encrypted and verifies that the website is who it says it is. Never enter personal information into a website without HTTPS, whether it’s legitimate or not.

The second clue is the subdomains—all the stuff before “skeercbc.com”. The subdomain(s) “tvlicensing.co.uk.update.your.details.online.database741727882” are subservient to skeercbc.com. Website operators can create as many of these subdomains as they want and name them whatever they want. Copying legitimate URLs into a subdomain to make it look like the real thing is a common tactic used in phishing, as you can see here.

The giveaway is in the use of periods instead of slashes. To spot it, look for the first forward slash (‘/’) after “http://”. Whatever comes just before that slash is the top level domain (.co.uk), and just before that is the website domain, “skeercbc”.

Skeercbc.com is a website registered in the UK in May 2018. It claims to be a construction consultancy and appears to be legitimate, in which case it may not realize a hacker has used its subdomain to create a phishing site.

We’ve contacted both ServiceLive.com and Skeercbc.com to inform them of the issue.

3. Sense of urgency

While not always indicative of phishing, scammers often try to instill a sense of urgency in their victims to push them into making mistakes. In this case, the email threatens to cancel the license and account of the victim if their billing information is not updated.

4. No personal information

The email addresses the recipient as “Sir/Madam”, even though the TV Licensing folks would certainly have license holders’ names. It also doesn’t include an account number or any other identifiable information, which is a sign that this same email is being sent out to a large number of recipients in the hopes of tricking just a few.

5. Privacy policy link

The hardly noticeable link at the bottom of the email says “Privacy Policy”, but it just goes to the same phishing page as the “Update your details” link.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.