Covid-19 HMRC text phishing scheme targets passport details of self-employed

Business owners across London bombarded with scam text messages purporting to be from HMRC, cyber expert Stav Pischits, CEO, Cynance, calls for companies to invest in employees' security training, cyber awareness and review and refresh internal procedures that deal with email security and teleworking

by Patrick Sullivan, Political Editor on 30 June 2020 08:24


Self-employed workers and company owners are being targeted with a new SMS phishing scam, designed to obtain the victim’s passport number, home address, and bank account details.

The scheme, uncovered by a London law firm, beings with a text message purporting to be from HMRC, telling the recipient they are due a tax refund and should apply online via a site with the URL "".

The site uses official HMRC branding and is entitled ‘Coronavirus (Covid-19) guidance and support”. It asks visitors for personal details including their name, home address and government gateway log-in credentials. The form then calculates a ‘tax refund’ which always gives the result of £324.37, event when fake credentials are entered.

Users are them asked to provide their personal bank details in full, including the expiry date, name on the card, sort code and Card Verification Value (CVV). A new aspect of the latest scam is that it also asks for ‘verification’ of the user by requesting the passport number for the purpose of identity theft.

Errors in the website code have been noted by suspicious users, including links for ‘extra information’ and ‘cookies’ leading to broken links. So far, the law firm has ascertained that around 80 self-employed London-based workers have reported receiving this scam to their respective accountant.

Cyber security expert Stav Pischits, CEO, Cynance, told The Commentator, “The Covid-19 crisis has triggered a sharp rise in phishing attacks targeting businesses and individuals with realistic scams promising financial support and purporting to be from HMRC. All it takes is a single employee to accidentally hand over confidential company information, such as bank account details, a username or password for a potentially catastrophic data breach to occur. For many companies It's not a question of if, but when. 

Pischits continued, “It’s therefore vital that all companies invest in improving cybersecurity procedures, particularly with millions of employees working remotely for the foreseeable future. Key to this is fostering a people-processes-technologies focused approach. It is essential to invest in employees' security training, cyber awareness and review and refresh internal procedures that deal with email security and teleworking. It’s also important to make sure that the right security tools are implemented and configured properly.”

Meanwhile Chris Ross, SVP, Barracuda Networks added, “There has been a substantial rise in the number of HMRC-related SMS and email phishing scams targeting workers with fraudulent financial support schemes. Often, the hacker will send a tailored text message to catch the victim off-guard to their personal phone, something that has is increased with millions working from home due to the health crisis. The fact is that cyber criminals will exploit any situation to harvest financial data from individuals, seeing the national emergency as the perfect opportunity to fool vulnerable victims into handing over personal information. Security awareness is key within the workforce is key, and it’s vital that all employee are trained about how these schemes operate as well as how SMS can be exploited as part of a wider phishing scheme.”

blog comments powered by Disqus