Reported HMRC-Branded Phishing Scams Grew by 87% During COVID-19

Suspected HMRC-branded phishing scams grew by 87% during the COVID-19 pandemic, according to official figures obtained by accountancy group Lanop Outsourcing following a Freedom of Information (FoI) request.

This data revealed that reports of phishing scams impersonating the UK’s tax, payments and customs authority surged from 572,029 in the financial year 2019-20 to 1,069,522 from April 2020 to April 2021.

Messages related to tax rebates or refunds made up the majority of reported scams, comprising 690,522 out of a total of 1,069,522 that were recorded in 2020-21. This compares to 636,118 in 2019-20. This increase is likely a result of cyber-criminals looking to exploit the creation of a number of financial relief packages introduced by the UK government during COVID-19.

There was also a substantial rise (66%) in suspected voice scam attacks in this period, from 203,362 reports in FY 2019-20 up to 690,522 in FY 2020-21.

Email was the most commonly used vector to launch suspected HMRC-branded phishing attacks in this period, according to the figures. These rose by 109% compared to the previous year, from 301,170 to 630,193. Sharp rises were also observed concerning suspected phone call scams (up 66%) and SMS scams (up 52%) over this period.

Additionally, reports for scams impersonating the Driver and Vehicle Licensing Agency (DVLA), which HMRC receives reports for, increased by a colossal 661%, from just 5549 cases in 2019-20 to 42,233 in 2020-21.

Tim Sadler, CEO of Tessian, pointed out that “Impersonating an authoritative organization like HMRC is a tried and tested way for cybercriminals to create a sense of urgency and fear, in order to manipulate people into sharing financial information or credentials via phishing or smishing scams. And they’ve upped the ante, particularly over the past 12 months, in the hope that by sending more emails, more people might fall for their schemes.

“Sadly, spotting the scams isn’t always easy, and hackers are making them even harder to detect. The general rule is to never click on links in unexpected texts or emails, even if you feel under pressure. Remember, you can always verify the request is real by calling the company directly or checking your online account.”

The new figures chime with official data released in November 2020, which showed that HMRC detected a 73% rise in email phishing attacks in the first six months following the start of the COVID-19 pandemic.

What’s Hot on Infosecurity Magazine?