More than 10,000 COVID-19 phishing scams reported to HMRC during lockdown

The highest number of scams occurred in May, with 5,153 reported to HMRC

New figures have revealed that 10,429 phishing scams were reported to Her Majesty’s Revenue and Customs (HMRC) at the height of the COVID-19 outbreak, all of which the non-ministerial government department is currently investigating.

In data obtained under a Freedom of Information (FOI) request, put forward by the Lanop Accountancy Group, the analysis suggests the scams took a range of forms that left businesses and members of the public vulnerable to attack, including email, SMS, social media and phone scams exploiting the COVID-19 pandemic.

Figures also show that 106 coronavirus-related websites have been requested for removal by HMRC since March.

The highest number of attacks occurred in May, with 5,152 reports to HMRC from members of the public and companies – a considerable rise from the 133 recorded in March, representing a surge of 337%.

The month of June also saw a jump in scams, with 2,558 reported cases, followed by 2,105 in April.

When it comes to website removal requests, April saw 42 such reports put forward by HMRC to Internet Service Providers (ISPs), followed by 24 in May and 17 in March.

Official table of COVID-19-related phishing scams from HMRC

One scam sent victims a text, claiming to be from HMRC, informing the recipient they are due a tax refund which can be claimed via an official-looking hoax website – complete with HMRC branding – entitled ‘Coronavirus (COVID-19) guidance and support’. The site then asks for some of the user’s sensitive information before requesting their passport number as ‘verification’ – a new part of the scam uncovered by Griffin Law.

Another example targeted individuals using the government’s Self-Employment Income Support Scheme (Seiss) by offering a fake tax rebate. The most recent SMS states that the victim is eligible for a tax reimbursement before pointing them towards a fake website which imitates that of HMRC. A form on the site then collects the individual’s email address, postcode and HMRC login information.

Another scam takes advantage of the government’s Coronavirus Job Retention Scheme (CJRS) via an email that mimics HMRC, purposefully designed to steal personal information. The email, complete with authentic-looking branding, purports to be from Jim Harra, first permanent secretary and chief executive of Her Majesty’s Revenue and Customs, in an effort to get business owners to reveal their banking details.

“With HMRC offering a range of financial support packages for businesses and individuals during the pandemic, it’s no surprise that hackers have chosen to exploit the crisis in an effort to cash-in on COVID-19. These scams are often cleverly designed with official branding and are incredibly realistic, coaxing unsuspecting victims to hand over confidential information such as bank account details, usernames and passwords,” said Chris Ross, SVP international at Barracuda Networks.

“With many people still working remotely for the foreseeable future, it’s vital that businesses ensure each and every member of staff is properly trained to spot these kinds of scams and the necessary cybersecurity systems are in place to identify and block suspected malicious communications, before it reaches the inbox.”

Stav Pischits, CEO of Cynance, commented: “Classic non-technical cyber attacks, such as social engineering, are still among the most effective ways for criminals to steal personal data from individuals and businesses.

“Tackling this problem requires companies to recognise that these scams are not going to go away any time soon…That’s why all businesses need dedicated security and data protection policies and procedures, addressing network security, staff training and more, not only to ensure that they are compliant with data protection regulations, such as the GDPR, but also to improve their actual protection against phishing attacks and other online threats.”

You might also like: 7 tips to keep your data secure


Leave a Reply

Free live webinar & QA

Blended learning – Did we forget about the students?

Free Education Webinar with Class

Wednesday, June 15, 11AM London BST

Join our expert panel as we look at what blended learning means in 2022 and how universities can meet the needs of ever more diverse student expectations.