With 2.4m self-employed individuals and freelancers taking advantage of the HMRC programme to provide subsidies and the huge disruptions in the UK economy as a result of the pandemic, fraudsters are seeing a higher success rate in scam campaigns because people are looking for as much help as possible.
They know that well-crafted (but fraudulent) messages that seem real can get people to fall for their schemes. People, to use a quote from the X-Files TV series, “want to believe”.
The latest scam campaign focuses on self-employed professionals who may be receiving assistance through the government’s Self-Employment Income Support Scheme, leveraging SMS messages to warn of potential eligibility for a tax refund.
Upon clicking on the link, professionals land on a very realistic page built on HMRC branding that asks for personal details and government gateway log-in credentials to calculate their supposed refund.
After calculating the fake refund amount, it asks for banking details in order to deposit the funds, but it also asks for passport numbers for “verification” purposes.
Banking data is no longer as valuable as it once was on the dark web, but the theft of highly sensitive passport number data can lead to big profits for the criminals as dark web marketplaces prize sensitive data like passport details for their potential in identity theft schemes.
Bypassing email defences with smishing
With email firewalls and fraud detection systems getting more sophisticated, fraudsters are increasingly leveraging SMS phishing (‘smishing’) in scams.
A recent Verizon report found that 85 per cent of attacks on mobile devices now take place via media other than email, as professionals are less accustomed to the telltale signs of a scam in their text messages compared to email.
Attackers know that users on mobile devices are more likely to click on a text message link. They are also taking advantage of smaller mobile browsers to create fake mobile websites that look exactly like real government sites in design, colours, typeface and layout.
Of course, the real HMRC has been very clear: they will never send you a message that solicits highly confidential information.
But in the face of growing economic distress, and knowing that there are real government programmes to help individuals in need, can we not predict that a certain percentage of the population is likely to respond and provide the information asked for by the criminals?
Sadly, the criminals know that the answer to this is yes.
Banking data is no longer as valuable as it once was on the dark web, but the theft of highly sensitive passport number data can lead to big profits for the criminals.
This is nothing new. On the night of April 15 2019, the Notre-Dame cathedral was largely destroyed in a terrible fire. Within hours, online criminals had websites up and running to fraudulently collect funds (or credit card numbers) purportedly to help with rebuilding.
Instead, they were enriching themselves. The criminals quickly registered website names that implied that they were real charities and hit crowdfunding sites to establish “charitable” efforts to help after the fire.
In fact, the fraudsters are so agile that they can have fake sites up and running, and be prepared to send out thousands of phishing emails and text messages to drive traffic to their websites and crowdfunding sites, within hours of identifying a potential for fraud.
Has there been a shift in criminals’ approach given the Covid-19 crisis?
The answer, sadly, is that criminals simply have not had to [change their approach]. All they needed were the details, for example, of the HMRC self-employed payment scheme, and they were ready to go.
They had the tools that they needed. They could register a virtually untraceable web address in minutes.
They had the technology infrastructure ready to go, and they had extensive practice from other global crises and newsworthy events like Brexit, the Notre-Dame fire and storm damage recovery in post-hurricane Puerto Rico, to name a few. In short, they were and are constantly watching for their next opportunity.
The pandemic has, however, greatly expanded the attack surface for fraudsters with the hasty shift toward remote work.
With employees working outside of the traditionally secure office network, often from unsecured personal devices that are shared by other family members, attackers have a lot more opportunities to succeed.
The real HMRC has been very clear: they will never send you a message that solicits highly confidential information.
How can professionals protect themselves and their clients?
While there is no perfect solution and fraudsters are crafting more realistic and sophisticated attacks every day, there are ways to mitigate the risk.
Consider outbound mail review software. It can detect outbound emails with sensitive information and allow them to be reviewed by a second pair of eyes.
The basic warning signs are similar to email – look for incorrect spellings, odd sentences, or generic greetings instead of using real names.
Be suspicious of text messages from numbers that do not look like real mobile phone numbers.
Instead of clicking on the link included in the message, type it in a browser first. It is easy for fraudsters to mask a link in the message so it looks genuine.
Do not trust but do verify. If there is an offer that you want to take advantage of, go online and check to see if it has been reported as a scam. Check the website of the organisation involved by going to its publicly known website. Do not rely on an internet address or phone number provided by the fraudsters.
Do not believe threatening robo-calls or calls from people threatening you with arrest or prosecution if you do not immediately provide them with the information they demand. That is not the way that government agencies work. Even if they provide a call-back number that answers with the name of the agency, remember that setting that up using virtually untraceable internet phone technology probably took the criminals under 10 minutes.
The adage referring to an ounce of prevention being better than a pound of cure is applicable to smishing and any other cyber scams.
It may be inconvenient to double check every message and take precautionary steps, but developing a healthy skepticism may save you, your staff and your clients considerable headache.
Andrew Beckett is a managing director and EMEA leader in Kroll’s Cyber Risk practice, and Alan Brill is senior managing director and founder of Kroll’s Cyber Risk practice