If you 've just paid your self-assessment tax bill , be vigilant if you receive an email informing you that you 're due a refund . Fraudsters are targeting taxpayers with spurious emails and text messages pretending to be Attack.Phishing from the government . I received one such email over the weekend , telling me I was due a refund of £222.32 . The email came Attack.Phishing complete with a bogus 'HMRC Transaction Confirmation ' number and a link claiming to be Attack.Phishing to the Government Gateway , which is used to access online government services . Of course , I would just need to click on the bogus link with my 'credit/debit card ready ' so the criminals at the other end of the link could scam Attack.Phishing my cards for as much money as possible . At first glance , it may look fairly convincing - the spelling and grammar is pretty good , it contains plenty of official-looking reference numbers and the web links are at least in part quite similar to the genuine articles . But it 's very definitely a 'phishing ' email - whereby the fraudster sender is trying to hook Attack.Phishing you into providing personal information . In this case , they 're after my credit or debit card numbers . Phishing happens by text message too . Earlier this month HMRC reported people are nine times more likely to fall for text message scams than other types such as email because they can appear more legitimate , with many texts displaying ‘ HMRC ’ as the sender , rather than a phone number . It also said it had 'stopped thousands of taxpayers from receiving scam text messages , with 90 per cent of the most convincing texts now halted before they reach their phones ' . To help you protect yourself and your bank account , there are several warning signs you should always look out for to determine whether such emails and texts are fakes This is in case they contain malware - software with a virus that can read personal information on your computer – or destroy it . The bug is often activated by users inadvertently opening an attachment or clicking on an email link . And it 's not just emails and texts about tax refunds you need to be vigilant towards . A spokesman for Action Fraud told This is Money : 'At this important time in the tax year when people will be claiming refunds , we are warning of fraudsters who contact victims claiming to be Attack.Phishing from HMRC to trick Attack.Phishing them into paying bogus debts and taxes . 'These criminals will contact Attack.Phishing victims in many ways , including spoof calls , voicemails and text messages . And in most cases they will ask for payments in iTunes giftcards . 'It is important that people spot the signs of this type of fraud to protect themselves . 'HMRC will never use text messages to inform about a tax rebate or penalty and will never ask for any payment in the form of iTunes vouchers . '

This Locky spam dip has been seen by multiple observers , such as security firms Avast and Check Point , and security researchers Kevin Beaumont , MalwareTech , MalwareHunterTeam , and others . According to Check Point , who recently released a report on December 's most active malware families , Locky spam numbers have gone down 81 % . Previously , in October , Locky had been ranked as the top malware threat in the world , while now , in December , Locky is not even in the top 10 anymore . The same thing can also be seen in a chart released by Avast . Even if the chart does n't cover the last ten days , Locky spam numbers have remained at the same low levels as during the holidays . The only tiny trail of activity in the chart above is the Locky ransomware delivered as a second-stage download for Kovter campaigns . Kovter is a click-fraud malware that infects computers and clicks on invisible ads on the user 's behalf . This malware has been around for years , and recently , it started distributing a wide range of secondary payloads . In January 2016 , Kovter downloaded and installed a proxy client on infected PCs , transforming infected hosts into proxy servers for the ProxyGate web proxy service . This allowed the Kovter gang to make a side profit by routing web traffic through infected PCs , while also earning money from its main activity : click-fraud . In the same month , Kovter also started distributing a version of the Nemucod ransomware , for which Fabian Wosar of Emsisoft had successfully created a decrypter . Disheartened by Wosar 's success , the group behind Kovter switched to several ransomware variants in the following months , and eventually settled on renting and distributing Locky starting with October , as part of an affiliate scheme , splitting the ransom payments Attack.Ransom with the Locky crew . Researchers looking at Locky infections can easily track Locky infections distributed by the Kovter group by the affiliate IDs 23 and 24 , found in Locky 's configuration file , present on every infected system . PhishMe researchers have recently published a blog post detailing the Kovter spam emails that has been distributing Locky ransomware in the past weeks . At the moment , these spam emails are the only source of Locky infections . Previously , most of the spam emails distributing Locky came Attack.Phishing from the spam sent out via Necurs , a botnet of PCs infected with the Necurs bootkit . The Necurs botnet is the same botnet responsible for the distribution of the Dridex banking trojan , one of the most advanced banking trojans known today .