According to data collected by Griffin Law 1,524,449 fake emails, calls and text messages claiming to be from Her Majesty’s Revenue and Customs were reported to HMRC between 2018 and 2019.
Fraudulent correspondence purporting to be from HMRC is nothing new, but their delivery appears to have changed.
Scams in the form of SMS text messages, otherwise known as smishing, have increased by 56% from 36,950 to 57,579 whereas email scams, or phishing, dropped 60% from 841,805 to 333,857 according to recent data.
As we increasingly utilise mobile devices to conduct our financial affairs it will arguably become more and more difficult to distinguish between genuine and illegitimate contact, whether they be via email, text or even via phone call.
In light of the recent release of this data highlighting scammers’ jump from email to text message; several cybersecurity professionals have offered their insights:
Javvad Malik, security awareness advocate at KnowBe4:
“HMRC is a commonly spoofed brand, with many people falling victim to phishing attacks that demand tax payment or offer tax refunds. As the use of SMS to communicate with customers has increased over the years, coupled with the fact that users are less likely to be suspicious of SMS messages, or don’t know how to validate the authenticity of a link embedded within an SMS, it is no surprise that scammers are increasingly using this attack method.
Users should remember that organisations such as HMRC or banks will never use email or SMS for demanding payment or similar urgent communication. Care should be taken with links even in SMS, and if in doubt, users should either log onto their HMRC account directly, or call their local tax office for confirmation.”
Tom Davison, technical director – international at Lookout:
“As we do more of our financial interactions on mobile devices, they are increasingly become the target of phishing. Smishing (where a phishing link is sent via SMS) is just one example, with email, web and in-app phishing also highly prevalent. It is relatively straightforward to buy an “off-the-shelf” phishing kit and target users en masse via SMS messages, tracking efficacy with a simple user interface. The bad news is that users are 3 times more likely to click a phishing link when presented on a small form factor device such as a phone or tablet.
When it comes to protecting against smishing scams, user awareness and vigilance are key. Be wary of any links that have been sent to your mobile device, whether by email or text message. Users should also develop the habit of proceeding to a login screen using a bookmarked link or the official website of a service they wish to use. If you receive a smishing text you should also report it to the HMRC phishing team. However, just as you wouldn’t protect an endpoint device from ransomware and viruses with education alone, a mobile threat defence solution is critical for comprehensive protection against the rise in smishing campaigns.”
Corin Imai, senior security advisor at DomainTools:
“Despite the numerous initiatives to raise awareness on HMRC scams, the fact that these continue to proliferate indicates that these campaigns remain profitable for the attackers who devise them. However, the surge in phone-based and text message scams and the decline in phishing emails denotes that the efforts to warn potential victims of the threats coming through their inbox have been at least somewhat successful: cybercriminals only stop exploiting a certain technique only when it ceases to be effective.
The best way to tackle the rise in text and phone-based scams is to follow the same model that worked for emails, which is to combine education and active efforts from service providers to block out malicious messages before they can reach potential victims. British people should be reminded that HMRC only gets in touch via regular mail, and any other type of interaction is most certainly a fraud. Any language of urgency – which is commonly found in socially engineered communications, designed to induce immediate action – should be a red flag.”