A Freedom of Information (FOI) request submitted by think tank Parliament Street to HMRC has found that in the past three years taxpayers submitted 2,602,528 reports of phishing via email, phone and other methods to the tax office.
In the 2016/17 tax year the highest number of reports were received by HMRC at 921,900. In 2017/18 there were 782,982 reports and 2018/19 totalled 897,649, an increase of 15 per cent on the previous year.
Phishing emails based on tax rebates were the most popular, with a total of 1,957,003 reports made about them.
This was despite HMRC implementing a verification system in November 2016, called DMARC, which allows emails to be verified to ensure they come from a genuine source and which has stopped half a billion phishing emails reaching customers.
The second most popular type of scam was via text message with a total of 150,009 complaints reported in the past three years, but reports of this method of phishing declined by almost half between 2016/17 and 2018/19.
However, the data showed that reported phone scams have significantly increased, with just 407 reported in 2016/17, rising to 104,774 reports in 2018/19.
Over the past three years, the number of phishing websites reported for removal totalled 50,323, with 2017/18 being the worst year with 19,198 reports.
From 2017-18 HMRC asked a record 20,750 websites to be taken down, a 29 per cent increase on the previous year.
The data also provided insight into the number of taxpayers who claimed they had disclosed personal financial details to scammers.
In the past three years, this figure totalled 18,792, with 2016/17 seeing the most reports at 10,647, signalling a growing awareness among consumers to guard their personal data.
Tim Sadler, chief executive of Tessian, a software company that prevents phishing, said: "What we see happening here with HMRC is happening across the board. Impersonation phishing attacks are on the rise as cybercriminals think up new ways to encourage people to share personal data or transfer money.
"And what better way to convince an individual to share information than to impersonate a position of trust and authority?
"The problem is that the digital world has altered the way trust develops online. Without the typical behavioural cues we use when physically interacting with a person, it becomes easier for hackers to manipulate people’s trust and increase the believability of a message or online persona. Hackers are also making their messages more convincing."
This week (June 3) it was revealed that recent steps taken by HMRC to prevent fraudsters copying the tax authority's telephone number have already reaped rewards, leading to a 25 per cent drop in overall scam reports and no new impersonations via this channel.
In April the taxman introduced stricter controls in partnership with Ofcom to stop fraudsters spoofing HMRC's most recognisable helpline numbers, often those beginning with the digits 0300.
In January 2019, the government banned cold calling in the pension industry to prevent pension scams but this ban does not apply to other areas such as taxation.
amy.austin@ft.com
What do you think about the issues raised by this story? Email us on fa.letters@ft.com to let us know.
