Her Majesty’s Revenue and Customs (HMRC) has been hit with over half a million malicious emails in three months, according to think tank Parliament Street.
The government department was bombarded with 5,000 malicious email attacks every day, totalling 521,582 spam, phishing and malware attacks between July and September, Parliament Street’s cybersecurity research team uncovered through a Freedom of Information request.
According to the data, 377,820 emails were spam and junk, 128,255 emails were phishing attacks and the remaining 15,507 contained malware.
It also revealed that there has been a steady increase in attacks against HMRC since June. In June, the number of attacks was 115,585, rising to 153,992 in July and 175,227 in August.
Figures for September showed 76,778 attacks in the first 10 days alone, leading Parliament Street researchers to estimate that attack numbers could have reached 230,000 by the end of the month.
Fake emails proporting to be from trusted sources such as HMRC are a common attack vector for hackers, with attackers recently taking advantage of the coronavirus furlough scheme and coronavirus job retention scheme. According to research by Griffin Law, the number scam emails, calls and text messages posing as HMRC reached 1.5m in March.
Security specialist and VP at Centrify Andy Heather said:
“Hackers see HMRC as a goldmine of personal and company data, so it’s no surprise that they are bombarding the organisation with an array of phishing, malware and spam attacks on a daily basis. If successful, one of these attempts could lead to cyber criminals gaining access to critical data such as user credentials and passwords, allowing the hacker to move around the organisation undetected, without raising suspicion from administrators. This in turn allows them to target privileged accounts for the purpose of data theft, server disruption or even ransom attacks.
“With the Covid-19 crisis forcing millions of people to work from home, there is an increased risk that malicious parties using stolen log-in details can operate without workers spotting what’s happening. It is therefore critical that organisations like HMRC have the necessary systems in place to verify that users are who they say they are, preventing third parties with stolen data from gaining access to critical information.”