UK business owners have been targeted by a new phishing scam that attempts to gain sensitive information, including payment details, by impersonating Her Majesty’s Revenue and Customs (HMRC).
In emails purporting to be from the HMRC, recipients are told that their VAT deferral application has been rejected. This follows an initiative by the UK government to allow businesses to defer VAT payments between March and June 2020 until March 31, 2021 in order help struggling companies during the COVID-19 lockdown. At least 100 business owners have so far reported receiving this scam. This scam has now also been reported as being conducted via telephone too.
The message, which uses official HMRC branding and graphics, begins by saying “Dear customers, Your request for a deferral of VAT payments due to coronavirus (COVID-19) has been rejected… Summary of reject justification: the claimant is in arrears.”
A false document is also attached which the email claims there are “more details and a full report on your application.” It also shares a one-use password to open the document and suggests the original application has been reshared.
The victim is then redirected to a false website and asked to enter sensitive information such as email, passwords and payment details, which are then harvested by the hacker.
This is the latest in a number of phishing scams associated with financial relief measures introduced by the UK government during the COVID-19 pandemic.
This phishing attack is the latest in a series of HMRC-branded email scams, designed to trick business owners into handing over confidential data. With many companies struggling due to the disruption caused by the COVID-19 outbreak, there has been a real uptake in the number of COVID-19 related attacks targeting business owners and employees.
Socially engineered service impersonation attacks using trusted brands is unfortunately a growing practice which can be a very successful method of attack, especially when combined with the current world situation. Attackers frequently rely on this form of attack as it delivers an instant level of trust with the email recipient, with many organisations lacking the layered security approach that modern day email security requires.
If you receive any of these emails or calls, please ignore and/or delete them.
To find out more, click here