Uk companies are the victims of a recent scamming campaign where cybercriminals are pretending to be agents of Her Majesty’s Revenue and Customs. There have been a number of spamming campaigns identified over the past weeks that are taking advantage of the measures implemented by the UK government to help companies through the COVID-19 pandemic and the forced lockdowns that have stopped companies from operating or have meant that they had to scale back operations seriously.

The HMRC scams have been widespread and differing, focusing on companies, the self-employed, furloughed workers and others using email, telephone, and SMS messages. A number of the attack include threats of arrest and jail time as a result of the underpayment of tax, demanding payment over the phone to prevent court action or arrest.

One scam focused on clients of Nucleus Financial Services and used an authentic communication from the firm as a template. The authentic email looks like it was obtained from a third-party hacked email account. The email warned recipients that they were entitled to a tax refund from HMRC. A link is given that the recipient is directed to click on in order to be sent their refund. In order to apply for the refund the user must hand over sensitive information via the website, which is captured by the hackers.

A separate campaign has been discovered that pretends to be the HMRC and similarly seeks sensitive data information such as bank account and email details. To address these attacks, the UK government kicked off a scheme to help businesses by allowing them to defer their VAT payments between March and June 2020, until June 2021 to help ease the financial impact of the nationwide lockdown. Many companies took advantage of the scheme and applied to have their Value Added Tax (VAT) payments pushed back.

The campaign deploys emails that spoof HMRC and advise form companies that their application to have their VAT payments deferred has been rejected as the company is in arrears. The emails incorporate an attachment with further information and a report on their application. The document is password safeguarded and the password is supplied in the email to allow the file to be opened.

A hyperlink is given that will take the user to a website where they are asked to provide sensitive information including their bank account details and email address and password, which are captured by the hackers.

COVID-19 has resulted in scammers identifying a host of new opportunities to fool businesses into disclosing sensitive information. Many of the lures used in the emails, calls, and text messages are believable, the messages are well composed, and the hacker have gone to lengths to make their phishing websites look like the entities they are pretending to be.

Companies should be on high alert and be particularly wary of phishing scams. They should warm their staff to use extra care with any request that requires the disclosure of sensitive details.

Technical controls should also be implemented to block phishing emails at source and prevent visits to malicious websites. TitanHQ can help with this. TitanHQ offers two anti-phishing solutions for companies and MSPs to help them prevent phishing attacks: SpamTitan and WebTitan.