HMRC reports 75 percent surge in email attacks during COVID-19

FOI request shows HMRC is dealing with a barrage of phishing attacks

Posted 23 November 2020 by Christine Horton

HM Revenue & Customs (HMRC) has reported a staggering 367,520 reports of phishing email attacks during 2020, with data indicating a sharp rise in incidents after the UK went into its first lockdown in March.

That’s according to official data obtained by accountancy firm Lanop Outsourcing, under the Freedom of Information (FOI) act. It specifically revealed that HMRC faced an average of 26,100 phishing attacks in January and February 2020, before soaring to an average of 45,046 attacks per month from March to September – a 73 percent increase.

The lowest recorded number of phishing attacks during March-September 2020, took place in August where just 38,096 attacks were detected by HMRC. However, this figure then soared to 57,801 cases in September – the largest monthly quantity all year.

As well as phishing attacks, HMRC also reported nearly 200,000 (199,621) cases of phone scams, and a further 58,921 reports of SMS (text message) scams.

The month which saw the lowest number of phone scams and SMS referrals was April, with just 425 and 2,515 of each respectively. This is likely due to the increasing amount of cybercriminals taking advantage of home workers via email phishing attacks (44,050 phishing scams were recorded in April).

Interestingly, when the UK came out of its first lockdown in June, the quantity of phone and SMS scams began soaring again, with the number of phone scams facing HMRC steadily inclining to a peak of 46,015 in September.

Cybersecurity expert Steve Peake, UK systems engineer manager at Barracuda Networks said the vendor’s own data recently unveiled a similar pattern of cyberattacks facing regular businesses. “Our researchers observed a 667 percent spike in spear phishing attacks from February to March, as a direct result of coronavirus. Similarly, other sectors, such as education, have also observed an upward trend of COVID-19 related phishing attacks during our battle against the virus.

“As the pandemic continues, businesses must anticipate Covid-19 themed attacks to increase in quantity. It’s also worth noting that cyberattacks and scams aren’t just contained to email messages, SMS based phishing attacks, or ‘Smishing’, and fraudulent phone calls, also pose a serious threat to consumers, workers and the general public,” he said.

“Combatting this threat cannot be achieved by simply relying on a single protection method. It’s important to utilise technology such as robust email security software, while also ensuring staff awareness of security and threats remains high through recurring training.”

Mohammad Sohaib, director, Lanop Outsourcing, said cybercriminals are using the coronavirus to lure unknowing victims into leaking their own private information.

“In one such example, scammers impersonated HMRC to trick business owners into believing that their VAT deferral application, a key government support initiative during the pandemic, had been rejected. They would then redirect victims to a website with official HMRC branding, before stealing credit card details,” he said.

“Unfortunately, we are likely to see the percentage of ‘successful’ scams to increase, as the sophistication and quantity of these attacks continues to surge. Combatting it requires constant online vigilance from business owners, consumers and internet users, as well as training and education around the threat facing them.”