HMRC investigates over 10,000 Covid-19 phishing reports

HM Revenue & Customs (HMRC) has revealed that it has received and is investigating 10,428 scam emails, SMS messages, social media posts and phone calls exploiting its name during the Covid-19 coronavirus pandemic, in figures obtained under Freedom of Information (FoI)  legislation by the Lanop Accountancy Group.

Almost immediately after it was opened to applications on 20 April, chancellor Rishi Sunak’s job retention scheme introduced to support businesses through the pandemic was targeted by cyber criminals, and this latest data corroborates previous information supplied by HMRC, as reported by Computer Weekly at the time, that showed a clear spike in tax-related phishing scams in the following weeks.

HMRC has now said that, during May, it received 5,152 reports from members of the public and businesses to its phishing reporting service – [email protected] – up from just 133 in March. The figures for April and June were lower, at 2,558 and 2,105, respectively.

Besides the scam targeting the Coronavirus Job Retention Scheme, which was a standard email phishing attack, many of the other scams took the form of SMS messages (smishing) purporting to be from HMRC informing the recipient that, due to the coronavirus, they were due a tax refund that they could apply for online at an official-looking site using HMRC branding. The fake site asked for several items of potentially sensitive data, including passport numbers, for verification.

The prevalence of text-based scams may be a result of HMRC’s use of domain-based message authentication, reporting and conformance (Dmarc) protocols, which are a relatively effective method of preventing scam emails from exploiting brand collateral. Recognising its particular sensitivity to having its brand exploited, HMRC was in fact the UK’s first government body to introduce Dmarc.

Chris Ross, international senior vice-president at Barracuda Networks, said that given the range of financial support packages for business and individuals on offer through HMRC, it was no surprise to see cyber criminals exploiting it.

“These scams are often cleverly designed with official branding and are incredibly realistic, coaxing unsuspecting victims to hand over confidential information such as bank account details, usernames and passwords,” said Ross, who warned that with many people still working remotely despite official exhortations, the scams were likely to continue.

“It is vital that businesses ensure each and every member of staff is properly trained to spot these kinds of scams and the necessary cyber security systems are in place to identify and block suspected malicious communications before they reach the inbox,” he said.

“All it takes is a single victim to hand over important data, and hackers can gain access to critical company systems, allowing them to wreak havoc and steal data. We know from previous attacks on the NHS that hackers will exploit any situation for their own gain, so vigilance against phishing is key during this difficult time.”

Stav Pischits, CEO of security services provider Cynance, added: “Classic non-technical cyber attacks, such as social engineering, are still among the most effective ways for criminals to steal personal data from individuals and businesses. These schemes often prey upon the natural vulnerabilities of victims by offering financial support and discounts, in exchange for handing over ‘registration details’, such as bank account numbers and personal data.

“Tackling this problem requires companies to recognise that these scams are not going to go away any time soon. It is also key to recognise that hackers have no limits and will target everyone from the CEO to the newly hired graduate in an effort to capture their objectives.”