Suspected HMRC-branded phishing scams grew by 87% during the COVID-19 pandemic, according to official figures obtained by accountancy group Lanop Outsourcing following a Freedom of Information (FoI) request.
The data revealed that reports of phishing scams impersonating the UK’s tax, payments and customs authority surged from 572,029 in the financial year 2019-20 to 1,069,522 from April 2020 to April 2021.
Messages related to tax rebates or refunds made up the majority of reported scams, rising by 90%, comprising 690,522 out of a total of 1,069,522 that were recorded in 2020-21. This compares to 636,118 in 2019-20. In addition, voice scam attacks rose by 66%, jumping from 203,362 to 336,767.
Calvin Gan, Senior Manager with F-Secure’s Tactical Defense Unit said: “All of us are gullible in some way and this is where threat actors exploit to their benefit. Phishing is so effective because the content context will always be something that triggers our emotion to act for fear of missing out. The high success click rate of phishing attacks continues to be a motivation for using this tactic to conduct cyber attacks.”
“Stopping phishing attacks would be an unrealistic ambition, but reducing the success rate of an attack is definitely doable. Having a thorough understanding of the attacker’s goal (cyber kill chain) and deploying multi-layered defence or tools (multi-factor authentication, zero trust policy, mailbox scanner, phishing email reporting tool) for each activity would mitigate the risk of having information stolen. Investing in a holistic security awareness training and simulation exercise which includes practicing a response plan in case of an attack, would allow an organisation to respond, instead of react, when an attack is happening.”
Impersonating an authoritative organisation like HMRC is a way for cybercriminals to create a sense of urgency and fear, in order to manipulate people into sharing financial information or credentials via phishing scams.
In the 2021 State of the Phish global survey of infosec professionals, 57% of respondents said their organisation dealt with a successful phishing attack in 2020. These attacks had serious impacts on the organisations they targeted. Compared with the previous survey, 13% more respondents said phishing attacks led to data loss. And 11% more said they led to credential compromise.
“Thwarting a phishing attack is not easy because it involves human behaviour which cannot be easily eradicated. Organisations which mostly focus on preventing phishing attacks have to realise that for an attacker, phishing is just the entry point for a sequence of attacks. Understanding the goal of an attacker would allow organisations to plan out their multi-layered defence approach.” added Gan.
Myrtle Lloyd, HMRC’s Director General for Customer Services, said: “We’re urging all of our customers to be really careful if they are contacted out of the blue by someone asking for money or bank details.
“There are a lot of scams out there where fraudsters are calling, texting or emailing customers claiming to be from HMRC. If you have any doubts, we suggest you don’t reply directly, and contact us yourself straight away. Search GOV.UK for our ‘scams checklist’ and to find out ‘how to report tax scams’.”