Cybercriminals have launched a new phishing campaign designed to steal the personal and financial details of millions of self-employed workers during the Covid-19 crisis.
Using the Self-Employment Income Support Scheme (SEISS) as a base, a worker receives a text message purporting to be from HMRC offering a tax rebate.
The message then directs them to a website called https://hmrefund.com which then leads to a realistic copy of the HMRC government site.
A form then asks for an email address, postcode and HMRC log-in details. A fake refund amount is then ‘calculated’, totalling £217.17.
The next page reveals an online form asking key personal information from the victim, including their card number, the name on the card, their account number, security code and expiry date.
Andy Harcup, VP, Absolute Software said: “It’s no surprise that hackers are trying to cash-in on the Covid-19 outbreak, with increasingly opportunistic and sophisticated phishing scams framed around HMRC support programmes.
“This particular scheme is designed to trick unsuspecting self-employed workers into claiming a tax refund, at a time when many people are struggling to make ends meet.
“The scam uses official government branding, logos and layouts, including a disclaimer about the site using cookies to fool users into thinking this is a legitimate way to reclaim their money.
“It is vital that users remain vigilant to such attacks, checking the origin and legitimacy of sites before handing over confidential financial data.
“It’s also critical that companies ensure they have the necessary cybersecurity systems in place to protect against malicious communications across all workplace laptops and devices, to keep hackers at bay.”
It is estimated that around 100 self-employed workers have reported the fake emails so far, according to Griffin Law, who researched the phishing campaign.
The news comes after Chancellor Rishi Sunak announced an extension to the SEISS scheme into August, which has so far seen 2.3 million claims worth £6.8 billion.
- How smart cities are fighting the Covid-19 pandemic
- Tech firm to donate laptops to Aberdeen charities and school kids
- This startup has a solution to social distancing in the hospitality sector
Cyber expert Chris Ross, SVP at Barracuda Networks, commented: “This is the latest in a series of sophisticated HMRC-branded phishing scams designed to target vulnerable workers during the Covid-19 outbreak.
“We’ve seen a sharp rise in these kinds of schemes, often carefully crafted and timed alongside new government funding announcements to increase the likelihood of duping unsuspecting workers into handing over personal financial data.
“Tackling this growing threat requires businesses to have the necessary security systems in place to identify suspicious emails and texts, as well as warning employees to remain vigilant against requests for private information from unverified sites and URLs, often sent to their phone.
“All it takes is one mistake and cybercriminals could get hold of the full details of a company debit card and bank account, causing serious problems for business owners in a particularly tough time.”