UK business owners have been targeted by a new phishing scam that attempts to gain sensitive information, including payment details, by impersonating Her Majesty’s Revenue and Customs (HMRC), according to an investigation by accountancy firm Lanop Outsourcing.
In emails purporting to be from the HMRC, recipients are told that their VAT deferral application has been rejected. This follows an initiative by the UK government to allow businesses to defer VAT payments between March and June 2020 until March 31, 2021 in order help struggling companies during the COVID-19 lockdown. At least 100 business owners have so far reported receiving this scam.
The message, which uses official HMRC branding and graphics, begins by saying “Dear customers, Your request for a deferral of VAT payments due to coronavirus (COVID-19) has been rejected… Summary of reject justification: the claimant is in arrears.”
A false document is also attached which the email claims there are “more details and a full report on your application.” It also shares a one-use password to open the document and suggests the original application has been reshared.
The victim is then redirected to a false website and asked to enter sensitive information such as email, passwords and payment details, which are then harvested by the hacker.
This is the latest in a number of phishing scams associated with financial relief measures introduced by the UK government during the COVID-19 pandemic. Others have included an attempt to steal personal and financial details of self-employed workers using the Self-Employment Income Support Scheme (SEISS) and the harvesting of data of UK workers who are expecting COVID-19 tax relief grants.
Commenting on the story, Steve Peake, UK systems engineer manager at Barracuda Networks, said: “This phishing attack is the latest in a series of HMRC-branded email scams, designed to trick business owners into handing over confidential data. With many companies struggling due to the disruption caused by the COVID-19 outbreak, we have seen a real uptake in the number of COVID-19 related attacks targeting business owners and employees. In fact, we recently observed a 667% spike in coronavirus-related spear-phishing attacks from February compared to March, during the start of the UK’s lockdown. Thus, it was only a matter of time before hackers targeted the government’s VAT deferment scheme as a new route to obtaining the bank details of unsuspecting victims.
“Socially engineered service impersonation attacks using trusted brands is unfortunately a growing practice which can be a very successful method of attack, especially when combined with the current world situation. Attackers frequently rely on this form of attack as it delivers an instant level of trust with the email recipient, with many organizations lacking the layered security approach that modern day email security requires.”