November 20, 2020

Covid-19 sparks 73% surge in HMRC phishing scams

By Robert Scammell

Phishing attacks in which cybercriminals impersonate HM Revenue & Customs (HMRC) have soared by 73% since the UK first went into lockdown in March.

In January and February phishing attacks averaged 26,100 per month, according to a Freedom of Information (FOI) request made by accountancy firm Lanop Outsourcing to HMRC.

That figure then jumped to 40,184 HMRC phishing attacks in March. It has increased most months since and has averaged 45,046 attacks per month between March and September.

Despite a drop in August to 38,096 phishing attacks, this figure rose sharply to a new high of 57,801 in September.

In total there have been 367,520 phishing attacks between January and September 2020.

HMRC scam emails copy the same formatting as an official email, making it difficult for victims to spot the fake email. They often claim that the target is eligible for a tax rebate that can be accessed by clicking a link. Opening the link can direct the victim to a fake online form which will then give the scammers access to personal information.

This type of attacks are not new, but scammers have seized upon the coronavirus pandemic as a hook to ensnare victims.

One HMRC scam email circulating in March claimed that taxpayers were eligible for a “new tax refund programme for dealing with the coronavirus outbreak in its action plan”.

The email ‘spoofed’ the display name to make it appear genuine.

“Cybercriminals have not missed a trick when it comes to using the devastating coronavirus to lure unknowing victims into leaking their own private information, such as passwords and payment details, via a phishing scam,” Mohammad Sohaib, director, Lanop Outsourcing.

“In one such example, scammers impersonated HMRC to trick business owners into believing that their VAT deferral application, a key government support initiative during the pandemic, had been rejected. They would then redirect victims to a website with official HMRC branding, before stealing credit card details.”

While phishing emails have been the most common type of HMRC scam this year, phone scams have also been on the rise.

In January and February the number of HMRC phone scams averaged 20,646 per month. Between March and September this increased to 22,619, despite significant declines in April and May.

Between January and September there have been a total of 199,621 cases of HMRC phone scams.

SMS scams, also known as smishing, saw an uptick in May, but attack volume has remained relatively flat throughout the year.

“Unfortunately, we are likely to see the percentage of ‘successful’ scams to increase, as the sophistication and quantity of these attacks continues to surge,” said Steve Peake, UK systems engineer manager at cybersecurity firm Barracuda Networks.

“As the pandemic continues, businesses must anticipate Covid-19 themed attacks to increase in quantity. It’s also worth noting that cyberattacks and scams aren’t just contained to email messages, SMS based phishing attacks, or ‘smishing’, and fraudulent phone calls, also pose a serious threat to consumers, workers and the general public.

“Combatting this threat cannot be achieved by simply relying on a single protection method. It’s important to utilise technology such as robust email security software, while also ensuring staff awareness of security and threats remains high through recurring training.”


Read more: Coronavirus hackers face the wrath of the cybersecurity community