Joerg Habermeier - stock.adobe.c

HMRC-branded phishing scams surge despite protections

The number of HMRC-branded phishing scams surged 87% in the past 12 months, according to latest revealed figures

The number of officially reported HMRC-branded phishing scams jumped from 572,029 in the 2019-2020 fiscal year to 1,069,522 in the 2020-2021 period, an 87% surge, according to statistics obtained by Lanop Outsourcing, an accountancy firm, under the Freedom of Information (FoI) Act.

The statistics reveal that the majority of scams addressed by HMRC related to tax rebates or refunds, which were up 90% in 2020-1 compared to 2019-20, from 363,118 to 690,522. Much of this rise will be attributable to criminals trying to take advantage of millions of people plunged into financial insecurity during the Covid-19 pandemic.

Lanop director Aurangzaib Chawla said: “With businesses on a fragile road to recovery following the Covid-19 crisis, it’s vital to remain vigilant about the very real risks posed by HMRC-branded scams.”

The data also reveal a 66% rise in voice scam attacks during the past financial year, rising from 203,362 to 336,767. Attacks related to the DVLA – HMRC also receives reports of such attacks and is empowered to act on the agency’s behalf to initiate website takedowns – rose more than six times to 42,233 from 5,549.

The favoured delivery method for scams exploiting HMRC was via email. Attacks originating via this method more than doubled from 301,170 to 630,193. Reports of suspected SMS scams, or smishing, rose 52% from 67,497 to 102,562, and reports of phone call scams increased 66% from 203,362 to 336,767.

Andy Harcup, senior director at Gigamon, a supplier of network monitoring services, said: “The sharp rise in HMRC-branded phishing attacks poses huge risks to businesses and individuals, with many organisations lacking the resources to identify and protect against malicious hackers. All it takes is a single employee to unwittingly handover confidential passwords and user details and cyber criminals are free to enter and wreak havoc across the network.

“The fact is that companies cannot neutralise these attacks without full visibility into network traffic and getting complete visibility into potential hostile threats. The days of allowing security blind spots to remain unchecked are over and a getting a complete view of what’s happening and when should now be the new normal in terms of security protocol,” he said.

Tim Sadler, CEO at Tessian, which specialises in email security, added: “Impersonating an authoritative organisation like HMRC is a tried and tested way for cyber criminals to create a sense of urgency and fear, to manipulate people into sharing financial information or credentials via phishing or smishing scams. And they’ve upped the ante, particularly over the past 12 months, in the hope that by sending more emails, more people might fall for their schemes.

“Sadly, spotting the scams isn’t always easy, and hackers are making them even harder to detect. The general rule is to never click on links in unexpected texts or emails, even if you feel under pressure. Remember, you can always verify the request is real by calling the company directly or by checking your online account,” said Sadler.

Earlier in June, HMRC revealed that it received more than a million referrals of suspicious contact from members of the general public during the 2020-21 financial year. During that period, it worked with internet service providers (ISPs) to remove over 15,700 malicious web pages, and with Ofcom and telecoms providers to remove more than 3,000 malicious telephone numbers.

Due to its prominent public profile, HMRC is probably the government brand that is most frequently abused by criminals to add credibility to their scams. As a result, the department has long led discussions and schemes on cyber issues at Westminster, running its own Cyber Security Operations unit to identify and shut down scammers. It has also pioneered the use in government of DMARC protections for email, and other technical controls to stop its legitimate helpline numbers from being spoofed. Nevertheless, cyber criminals persist.

Myrtle Lloyd, HMRC’s director general for customer services, said: “We’re urging all of our customers to be really careful if they are contacted out of the blue by someone asking for money or bank details.

“There are a lot of scams out there where fraudsters are calling, texting or emailing customers claiming to be from HMRC. If you have any doubts, we suggest you don’t reply directly, and contact us yourself straight away. Search for our ‘scams checklist’ and to find out ‘how to report tax scams’.”

Read more about financial scams

Read more on Hackers and cybercrime prevention

Data Center
Data Management