Hackers attack business owners with Covid VAT deferral scam

Accountancy outsourcing specialists, Lanop Outsourcing, uncovered a new email phishing scam targeting UK business owners. The scammers, using official HMRC branding and graphics as a guise, are convincing their victims that their VAT deferral  application has been rejected.

According to the Lanop Outsourcing report, more than 100 business owners stated they had received the same scam email through clients of Lanop Outsourcing.

In an effort to help businesses through Covid disruption, HMRC allowed VAT payments between March 2020 and June 2020 to be deferred until March 31 2021. Piggybacking the scheme, hackers have tried to trick business owners into revealing their sensitive information, such as account names, passwords and financial information.

The scam email in question begins: “Dear customers, Your request for a deferral of VAT payments due to coronavirus (COVID-19) has been rejected… Summary of reject justification: ‘the claimant is in arrears.”

The email continues, attempting to convince the recipient of the source’s authority and legitimacy, with a link to a document titled “more details and a full report on your application”. To access the document, victims use the one-time password provided in the email.

At this point, targeted business owners are redirected to a false website and prompted to enter their sensitive information, which the hacker then harvests. While a rudimentary means of phishing for personal details, what makes this scam so dangerous are the official HMRC logos and graphics, which might compel already-desperate victims into complying with the hacker’s requests.

Speaking on the scam and how business owners can protect themselves, UK Systems Engineer Manager at Barracuda Networks, Steve Peake, comments:

“This phishing attack is the latest in a series of HMRC-branded email scams, designed to trick business owners into handing over confidential data. With many companies struggling due to the disruption caused by the Covid-19 outbreak, we have seen a real uptake in the number of Covid-related attacks targeting business owners and employees. In fact, we recently observed a 667% spike in coronavirus-related spear-phishing attacks from February compared to March, during the start of the UK’s lockdown. Thus, it was only a matter of time before hackers targeted the government’s VAT deferment scheme as a new route to obtaining the bank details of unsuspecting victims.”

“Socially engineered service impersonation attacks using trusted brands is unfortunately a growing practice which can be a very successful method of attack, especially when combined with the current world situation. Attackers frequently rely on this form of attack as it delivers an instant level of trust with the email recipient, with many organisations lacking the layered security approach that modern day email security requires.”

“Combatting this issue requires business owners and entrepreneurs take email security seriously, ensuing the right systems are in place to highlight and block potentially malicious or suspicious emails before they reach the inbox. It’s also critical that every member of staff is properly trained to spot these scams, especially with so many people still working remotely. For example, HMRC will never ask for credentials of any kind, and it’s important that users understand this as well as other basic security precautions, such as checking the website of any request directly, and never clicking links sent via email.”