Hackers always seem to have a new trick up their sleeves to dupe unsuspecting victims into handing over their money and personal data. While new scams are emerging all the time, there are also some that hackers roll out repeatedly due to their high success rate.
Unfortunately, fake email messages from HMRC are among the most replicated and successful phishing scams circulated in the UK today. HMRC has received more than 2.6m reports of phishing attempts over the past three financial years, taking down more than 20,000 spoofed websites in 2018 alone.
Cybercriminals are quick to take advantage of the trust people have in HMRC by seeking to exploit a wide-ranging fear of the tax man and delight, for example, at receiving a rebate out of the blue. For accounting firms, it’s vital to stay alert, since social engineering campaigns are now more targeted and sophisticated than ever.
To successfully protect your business and help better educate clients, it’s important to understand why HMRC phishing scams are so successful.
Phishing scams in 2019
It stands to reason that the hackers best able to craft convincing messages are going to be the most successful in the long run. For this reason, criminals now spend an increasing amount of time researching their targets, including monitoring company events, investigating supply chains, and identifying use of technologies.
Businesses like PayPal or Airbnb are perhaps some of the best-known companies imitated by phishing campaigns. This is largely due to the size of their respective customer base and the regular schedule of communications that they send – which often require customers to perform an action, such as clicking a link to log into an account.
Public bodies are also duplicated to great effect. HMRC is a prime example of this, with scams usually distributed around key periods in the financial calendar, such tax return and self-assessment deadlines.
Why HMRC?
There are a few good reasons why HMRC email scams are particularly successful.
The HMRC fear factor – Do not underestimate the sense of apprehension most people experience when opening an HMRC letter or email. People are naturally nervous of HMRC’s powers, something that makes them more likely to act without thinking – particularly if its good news, such as notification of a rebate. If only everyone knew that HMRC rarely sends important information via email or SMS, and never for tax refunds, almost all HMRC phishing scams would fail. If accountants communicated this to new clients and reminded existing ones each tax season, the number of businesses falling victim to HMRC scams would decrease massively.
A big target – Not every business uses the same financial services, meaning phishers posing as a high street bank, for example, will only stand to dupe a certain percentage of organisations. Whether for business or personal reasons, every adult in the UK has some reason to deal with HMRC, making attacks relevant to the broadest possible set of targets and improving the likelihood of success.
Easy to copy – Tell-tale signs of phishing attacks include grammatical errors, spelling mistakes and discrepancies in the style and presentation of communications. When it comes to faking HMRC communications, the government has made criminals lives’ much easier by publicly disclosing its complete style guide online. It has even published a blog detailing use of fonts, meaning hackers don’t need to do much sleuthing to spoof HMRC emails and websites. Criminals can easily access all the information they need to launch their campaigns.
Public mistakes – Another major factor contributing to the success of these phishing campaigns is the frequency at which the HMRC itself makes errors. The genuine mistakes and miscalculations made by HMRC through the years mean that little mistakes and inconsistencies, which might otherwise be viewed cautiously, are seen as ‘normal’. In January, for example, HMRC fined taxpayers for failing to submit their self-assessment returns online – even though the deadline was still two weeks away. When mistakes like this are made in real life, no wonder victims may not realise when something fishy is going on.
How to protect your firm and its clients
Upon receiving an email purporting to be from HMRC (or indeed, any organisation), it’s always advisable to review key details to confirm authenticity. Check the domain of the sender email address to check that’s it’s genuine and not a slight variation. Spelling mistakes and branding inconsistencies can also be key signs that something is amiss. As a general rule, never click links directly within emails. If a communication requests that you perform an action, such as sign in to a personal or business tax account, then go to the website directly to do so, rather than follow a URL directly. Calling organisations to check the validity of requests is also a sensible option.
For additional protection, consider investing in proactive network monitoring tools as well as authentication technologies such as SPF and DMARC, which can help to reduce the receipt emails from unknown senders. Cyber awareness training and assessments, such as simulated phishing attacks, are also a highly effective way to reduce the risk of employees falling foul of scams.
Providing basic cybersecurity advice when on-boarding new clients and reminding existing clients of the existence of HMRC scams each year should be best practice. Given that phishing attacks are commonly themed around topical events, it also pays to remain vigilant. Monitoring the news and warning clients about the latest trends could help them to better protect their businesses. This kind of advice can demonstrate your organisation’s value beyond end-of-year tax and regulatory compliance – something that, given the changing nature of the industry, should be the aim of any progressive accounting firm in 2019.