Her Majesty’s Revenue and Customs (HMRC) is investigating 10,428 email, SMS, social media, and phone scams exploiting the Covid-19 pandemic, according to official figures.

The data, obtained under Freedom of Information (FOI) legislation by the Lanop Accountancy Group, also revealed that a total of 106 Coronavirus-related websites have been requested for removal by HMRC since March.

The highest number of phishing scams occurred in May with 5,152 reports to HMRC from members of the public and businesses, up from just 133 in March – a rise of 337 per cent. June also saw a surge in scams with 2,558 reports, followed by 2,105 in April.

In terms of website removal requests, April saw 42 such requests made by HMRC to Internet Service Providers (ISPs). This was followed by 24 in May and 17 in March.

In one scam, victims were sent a text message purporting to be from HMRC informing the recipient they are due a tax refund which can be applied for online via an official looking site that uses HMRC branding and is entitled “Coronavirus (COVID-19) guidance and support.”

The fake site then asks for several pieces of the user’s sensitive information before also requesting their passport number as ‘verification’ – a new aspect of the scam previously discovered by Griffin Law.

Another scam targets those using the government’s Self-Employment Income Support Scheme (Seiss) offering a bogus tax rebate. The latest text message informs the victim they are eligible for a tax refund and directs them to a website which then leads to a realistic imitation of the HMRC government site.

A form on the site then asks for the individual’s email address, postcode and HMRC log-in details. 

Another scam exploits the government’s Coronavirus Job Retention Scheme (CJRS) with a phishing email scam pretending to be from HM Revenue and Customs, designed to steal personal information. The email, which uses official HMRC branding, purports to be from Jim Harra, first permanent secretary and chief executive of HMRC, in an attempt to get business owners to reveal their bank account information.

Cyber security expert Chris Ross, SVP International, Barracuda Networks, comments:

“With HMRC offering a range of financial support packages for businesses and individuals during the pandemic, it’s no surprise that hackers have chosen to exploit the crisis in an effort to cash-in on Covid-19. These scams are often cleverly designed with official branding are incredibly realistic, coaxing unsuspecting victims to hand over confidential information such as bank account details, usernames and passwords.

With many people still working remotely for the foreseeable future, it’s vital that businesses ensure each and every member of staff is properly trained to spot these kinds of scams and the necessary cyber security systems are in place in place to identify and block suspected malicious communications, before it reaches the inbox. All it takes is a single victim to hand over important data, and hackers can gain access to critical company systems, allowing them to wreak havoc and steal data. We know from previous attacks on the NHS that hackers will exploit any situation for their own gain, so vigilance against phishing is key during this difficult time.”

Stav Pischits, CEO of Cynance, a Transputec company, comments:

“Classic non-technical cyber attacks, such as social engineering are still among the most effective ways for criminals to steal personal data from individuals and businesses. These schemes often prey upon the natural vulnerabilities of victims by offering financial support and discounts, in exchange for handing over ‘registration details’, such as bank account numbers and personal data.

Tackling this problem requires companies to recognise that these scams are not going to go away anytime soon. It’s also key to recognise that hackers have no limits and will target everyone from the CEO to the newly hired graduate in an effort to capture their objectives.

That’s why all businesses need dedicated security and data protection policies and  procedures, addressing network security, staff training and more, not only to ensure that they are compliant with data protection regulations, such as the GDPR, but also to improve their actual protection against phishing attacks and other online threats.”