HMRC reports 75% surge in targeted e-mail attacks during COVID-19 outbreak

That’s according to official data obtained by accountancy firm Lanop Outsourcing under a Freedom of Information request, which specifically reveals that HMRC faced an average of 26,100 phishing attacks in January and February of this year before that number soared to an average of 45,046 attacks per month from March through until September (ie a 73% increase).

The lowest recorded number of phishing attacks during March to September took place in August when 38,096 attacks were detected by HMRC. However, this figure then soared to 57,801 cases in September (the largest monthly quantity all year, in fact).

As well as phishing attacks, HMRC also reported nearly 200,000 (199,621 to be exacy) cases of phone scams and 58,921 SMS (ie text message) scams.

The month which saw the lowest number of phone scams and SMS referrals was April, with 425 and 2,515 of each respectively. This is likely due to the increasing number of cyber criminals taking advantage of home workers via e-mail phishing attacks (44,050 phishing scams were recorded in April).

Interestingly, when the UK came out of its first lockdown, the quantity of phone and SMS scams began soaring again, with the number of phone scams facing HMRC steadily inclining to reach a peak of 46,015 in September.

Serious threat

Cyber security expert Steve Peake, UK systems engineering manager at Barracuda Networks, commented: “Interestingly, Barracuda’s own data recently unveiled a similar pattern of cyber attacks facing regular businesses, with our researchers observing a 667% spike in spear phishing attacks from February to March as a direct result of COVID. Similarly, other sectors, such as education, have also observed an upward trend of COVID-19 related phishing attacks during our battle against the virus.”

Peake added: “As the pandemic continues, businesses must anticipate COVID-19 themed attacks to increase in quantity. It’s also worth noting that cyber attacks and scams are not just confined to e-mails, SMS-based phishing attacks or ‘smishing’. Fraudulent phone calls also pose a serious threat to consumers, workers and the general public.”

What’s the answer? Peake stated: “Combating this threat cannot be achieved by simply relying on a single protection method. It’s important to use technology such as robust e-mail security software, while also ensuring staff awareness of security and threats remains high through recurrent training.”

Mohammad Sohaib, director at Lanop Outsourcing, informed Security Matters: “Cyber criminals have not missed a trick when it comes to using the devastating Coronavirus to lure unknowing victims into leaking their own private information, such as passwords and payment details, via a phishing scam.”

On that note, Sohaib went on to comment: “In one such example, scammers impersonated HMRC to trick business owners into believing that their VAT deferral application, a key Government support initiative during the pandemic, had been rejected. They would then redirect victims to a website with official HMRC branding before stealing credit card details.”

He concluded: “Unfortunately, we’re likely to see the percentage of ‘successful’ scams increase as the sophistication and quantity of these attacks continues to surge. Combating this issue requires constant online vigilance from business owners, consumers and Internet users, as well as training and education around the threat facing them.”