HMRC-branded covid-19 scam targets passport details of self-employed
Self-employed workers in the UK are being targeted with a new SMS phishing scam, designed to obtain the victim's passport number, home address, and bank account details, it has emerged today.
The scheme, uncovered by Griffin Law, beings with a text message purporting to be from HMRC, telling the recipient they are due a tax refund and should apply online via a site with the URL http://ukservice.org.
The site uses official HMRC branding and is entitled "Coronavirus (Covid-19) guidance and support." It asks visitors for personal details including their name, home address and government gateway log-in credentials. The form then calculates a "tax refund" which always gives the result of £324.37, event when fake credentials are entered.
All it takes is a single employee to accidentally hand over confidential company information, such as bank account details, a username or password for a potentially catastrophic data breach to occur. For many companies It's not a question of if, but when."
Users are them asked to provide their personal bank details in full, including the expiry date, name on the card, sort code and Card Verification Value (CVV). A new aspect of the latest scam is that it also asks for ‘verification' of the user by requesting the passport number for the purpose of identity theft. Errors in the website code have been noted by suspicious users, including links for "extra information" and "cookies" leading to broken links.
So far, Griffin Law says it has ascertained that around 80 self-employed London-based workers have reported receiving this scam to their respective accountant.
Cyber expert Stav Pischits, CEO, Cynance, commented: "The covid-19 crisis has triggered a sharp rise in phishing attacks targeting businesses and individuals with realistic scams promising financial support and purporting to be from HMRC."
"All it takes is a single employee to accidentally hand over confidential company information, such as bank account details, a username or password for a potentially catastrophic data breach to occur. For many companies It's not a question of if, but when."
Pischits added: "It's therefore vital that all companies invest in improving cybersecurity procedures, particularly with millions of employees working remotely for the foreseeable future. Key to this is fostering a people-processes-technologies focused approach. It is essential to invest in employees' security training, cyber awareness and review and refresh internal procedures that deal with email security and teleworking. It's also important to make sure that the right security tools are implemented and configured properly."
Chris Ross, senior vice-president of Barracuda Networks, added, "There has been a sharp rise in the number of HMRC-related SMS and email phishing scams targeting workers with fraudulent financial support schemes. Often, the hacker will send a tailored text message to catch the victim off-guard to their personal phone, something that has is increased with millions working from home due to the health crisis."
"The fact is that cyber criminals will exploit any situation to harvest financial data from individuals, seeing the national emergency as the perfect opportunity to fool vulnerable victims into handing over personal information."
"Security awareness is key within the workforce is key, and it's vital that all employee are trained about how these schemes operate as well as how SMS can be exploited as part of a wider phishing scheme."
More on Cybercrime
