Another new email phishing scam produced by hackers purporting to be from HM Revenue and Customs (HMRC) has been uncovered.
The latest of many recent scamming attempts by criminals is using the omnipresent topic of coronavirus alongside the subject of VAT deferrals to trick you into giving away sensitive data.
Aimed at small business owners, the fake HMRC email attempts to purloin confidential information from ventures struggling to cope with the ongoing effects of the pandemic. HMRC allowed payments of VAT between March and June of this year to be deferred and the scam email pretending to be from the Revenue tries to dupe companies affected into revealing private information including account names, passwords and payment details.
The latest scam was uncovered by accountancy specialists Lanop Outsourcing and features, on the face of it at least, official HMRC branding and imagery. The phishing email begins: “Dear customers, Your request for a deferral of VAT payments due to coronavirus (COVID-19) has been rejected… Summary of reject justification: ‘the claimant is in arrears.”
The email message carries a bogus attachment that features “more details and a full report on your application”. It also comes with a one-use password required to open the document. Attempting to add further legitimacy to the message is the way that it suggests the original application has already been shared with others.
Anyone tempted to do what the email asks is redirected to a fake website and told to enter sensitive business details. IT commentators are universal in reminding business people, and indeed the wider public that HMRC will never ask for credentials of any kind. You should also double-check the validity of any emails or requests to visit websites that don’t look or behave quite right.
“This scam is one of the most deceitful and realistic phishing attacks we’ve seen since the start of the Covid-19 pandemic, and its veneer of legitimacy is just strong enough that concerned business owners could easily fall into the trap of handing over personal information,” noted Shahzad Ali, Managing Director, Lanop Outsourcing.
“In these trying times, a cyber hack should be the least of business owners’ worries, and it’s essential that the source of all significant emails, particularly those purporting to be from a government agency, should be verified before any further action is taken.”