HMRC Investigating Over 10,000 COVID-Related Phishing Scams

More than 10,000 email, SMS, social media and phone scams exploiting the COVID-19 pandemic are being investigated by Her Majesty’s Revenue and Customs (HMRC) in the UK.

The official figures, published following a Freedom of Information (FOI) request by the Lanop Accountancy Group, highlight how the health and economic crisis has provided major scamming opportunities for cyber-criminals.

The data showed that May was the month in which the highest number of phishing scams were reported by members of the public to HMRC, at 5152, representing a 337% rise compared to March when lockdown measures were first introduced in the UK. This was followed by 2558 reports in June, and 2105 in April. The total since March comes to 10,428.

Government programs introduced to support businesses and workers impacted by the lockdown have been a common target for scammers. Examples include an email purporting to be from HMRC regarding the government’s Coronavirus Job Retention Scheme, which attempted to get business owners to reveal their bank account information, while another offered a bogus tax rebate under the guise of the Self-Employment Income Support Scheme.

The FOI also showed that 106 COVID-related websites have been requested for removal since March, with April the highest month at 42, followed by 24 in May and 17 in March. In May, it was revealed that HMRC formally asked internet service providers (ISPs) to remove 292 scam web addresses exploiting the coronavirus outbreak.

Chris Ross, SVP international at Barracuda Networks, commented: “With HMRC offering a range of financial support packages for businesses and individuals during the pandemic, it’s no surprise that hackers have chosen to exploit the crisis in an effort to cash-in on COVID-19. These scams are often cleverly designed with official branding and are incredibly realistic, coaxing unsuspecting victims to hand over confidential information such as bank account details, usernames and passwords."

Stav Pischits, CEO of Cynance, added: “Tackling this problem requires companies to recognize that these scams are not going to go away anytime soon. It’s also key to recognize that hackers have no limits and will target everyone from the CEO to the newly hired graduate in an effort to capture their objectives.

“That’s why all businesses need dedicated security and data protection policies and procedures, addressing network security, staff training and more, not only to ensure that they are compliant with data protection regulations, such as the GDPR, but also to improve their actual protection against phishing attacks and other online threats.”

Last month, research revealed that over 10% of all phishing attempts in Q1 of 2020 were related to COVID-19.

What’s Hot on Infosecurity Magazine?