New Phishing Attack Impersonates as DWP Attacking Users to Steal Credit Card Data

A sophisticated phishing campaign targeting UK citizens has emerged, masquerading as official communications from the Department for Work and Pensions (DWP) to steal sensitive financial information.

The campaign, which has been active since late May 2025, represents a significant escalation in social engineering attacks against British residents, exploiting concerns about government benefits and seasonal allowances.

The attack leverages SMS messaging as its primary vector, distributing fraudulent messages that warn recipients about missing Winter Heating Allowance applications.

These messages create a sense of urgency by suggesting that immediate action is required to avoid losing crucial financial support during the winter months.

The psychological manipulation is particularly effective as it targets vulnerable populations who depend on government assistance programs.

Gen Threat Labs analysts identified the campaign’s peak activity occurring in the second half of June 2025, indicating a coordinated effort to maximize impact during a period when citizens would be most concerned about heating allowances.

The researchers noted that the campaign utilizes shortened URLs to obscure the malicious destination, leading unsuspecting victims to convincing replica websites that closely mimic official DWP portals.

Technical Analysis: URL Shortening and Domain Masquerading

The phishing infrastructure employs sophisticated URL shortening techniques combined with domain spoofing to evade detection mechanisms.

The attackers register domains that closely resemble legitimate government websites, utilizing techniques such as typosquatting and homograph attacks.

These fraudulent sites are designed with meticulous attention to detail, incorporating official DWP branding, logos, and layout structures to establish credibility.

The shortened links serve multiple purposes beyond mere obfuscation.

They enable the attackers to track click-through rates, analyze victim demographics, and implement conditional redirects based on user-agent strings or geographic locations.

This data collection allows the threat actors to refine their targeting strategies and optimize conversion rates for their credential harvesting operations.

Once victims navigate to these malicious sites, they encounter forms requesting comprehensive personal information including credit card details, banking information, and identity verification data under the guise of processing benefit applications.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now