HMRC warns locked-down freshers of ‘wave’ of tax scams

HM Revenue and Customs (HMRC) has written to universities across the UK urging them to warn their new intake of students of a fresh wave of tax scams and related cyber threats targeting the academic community.

The start of the academic year is always a risky time for students heading to university for the first time – and, according to HMRC, young people can be particularly at risk of falling victim to tax scams and fraud, which often spoofs HMRC branding to exploit members of the public.

This year, the issue is being compounded by campus-wide lockdowns and “blended” learning set-ups instituted during the Covid-19 pandemic, and HMRC believes this year’s unique situation could leave many new students particularly vulnerable to phishing attempts.

Jesse Norman, financial secretary to the Treasury, said: “Cyber criminals use every method they can to steal money and personal data from students. We are concerned that remote working because of Covid-19 could lead to more tax scams targeting a new and potentially vulnerable university intake.

“HM Revenue and Customs is doing everything it can to clamp down on cyber fraud, but students also need to be vigilant. We would urge university principals to take a lead in helping to protect their students from these cyber criminals by raising awareness of what to look out for.”

HMRC takes cyber fraud exceptionally seriously and has been highly active in tackling it during the pandemic, investigating thousands of phishing reports made to it and removing malicious websites almost as quickly as they pop up.

It August alone, said HMRC, it received almost 75,000 scam email, text message and phone call reports, with over 41,000 of these related to bogus tax rebates. Thousands of them were targeted at students, and those responsible appeared to have access to personal university email addresses, probably obtained unlawfully.

“The security and welfare of students is always a priority for universities,” said Universities UK chief executive Alistair Jarvis. “The message to students, at what is a particularly stressful time, is to remain vigilant and question anything that seems unusual. Any student who fears their account may have been misused is encouraged to speak to university support services, their bank, or to the police via Action Fraud.

Universities minister Michelle Donelan added: “I want every student to be as safe as possible this term, both online and offline, and it is absolutely vital that they are aware of the risks posed by tax scams. I encourage institutions to warn students about this issue and arm them with the information they need to identify and respond to tax scams if they should be targeted.”

HMRC’s advice encourages students to stop and think before parting with any personal information or money, not to reveal personal information or reply to unsolicited texts or emails, and never to download attachments or click links within them.

Anyone worried that they may have received a phishing scam exploiting HMRC branding can search “scams” on Gov.uk for more information on how to recognise genuine HMRC contacts. Suspicious emails claiming to be from HMRC can be passed to [email protected], and suspicious texts should be forwarded to 60599.

Meanwhile, new figures published today by the Parliament Street think-tank, which obtained them via the Freedom of Information (FoI) Act, revealed that HMRC itself has been on the receiving end of more than 520,000 malicious emails in just three months between June and September 2020 – an average of over 5,500 a day.

According to the data, most of the malicious emails received were relatively innocuous spam or junk mailings, but phishing attempts made up 128,255 of the total number of attacks, and 15,507 contained malware.

HMRC’s data also revealed a steady increase in monthly attacks made against its systems, rising from 116,000 in June to 154,000 in July and 175,000 in August.

Centrify vice-president Andy Heather and Barracuda Networks international senior vice-president Chris Ross agreed that with HMRC overseeing the tax and financial affairs of millions of people – and holding a “goldmine” of data on them – it was no surprise that the organisation’s staff were being relentlessly targeted by cyber criminals.

“These figures illustrate the huge volume of malicious phishing emails targeted at HMRC employees on a daily basis and serve as a reminder to other government organisations to keep email security and cyber awareness front of mind in an increasingly dangerous online world,” said Ross.

“All it takes is a single rogue email to reach the inbox of an unsuspecting staffer undetected and criminals could easily get hold of critical personal data, passwords or log-in credentials. Such a scenario could cause serious problems, both in terms of data protection and disruption to critical public services.”

Heather added: “If successful, one of these attempts could lead to cyber criminals gaining access to critical data such as user credentials and passwords, allowing the hacker to move around the organisation undetected, without raising suspicion from administrators. This, in turn, allows them to target privileged accounts for the purpose of data theft, server disruption or even ransom attacks.

“With the Covid-19 crisis forcing millions of people to work from home, there is an increased risk that malicious parties using stolen log-in details can operate without workers spotting what is happening.

“It is therefore critical that organisations like HMRC have the necessary systems in place to verify that users are who they say they are, preventing third parties with stolen data from gaining access to critical information.”