The volume of HMRC phishing emails reported by the public has fallen sharply over the past two years, as those related to SMS- and phone-based scams increased, according to a new Freedom of Information (FOI) request.
UK-based Griffin Law obtained the figures from the UK tax office related to the latter's suspicious email referral service. As such, it doesn’t provide a full picture of the scale of the phishing threat facing taxpayers, but does give useful insight into general trends.
From January 1 2018 to December 31 2019 there were a total of over 1.5 million reported scams. Although the vast majority (77%) of attacks came via email, the volume actually dropped by 60% between 2018 and 2019.
At the same time, the volume of smishing reports increased by 56% to reach 57, 579 while the number of phone scams reported by the public jumped by a staggering 234% to reach 195, 720 in 2019.
That could partly be explained by greater public awareness of such scams, but also seems to show an increasing willingness on the part of fraudsters to use different communications methods to trick taxpayers.
“It’s no surprise that cyber-criminals see impersonating HMRC through fraudulent phishing schemes as an easy route to securing cash pay-outs from unsuspecting victims. What’s most disturbing about these figures is the sophisticated multi-channel approach being used across calls, texts and emails to dupe individuals into assuming these interactions are a legitimate communication from the taxman,” argued Barracuda Networks SVP, Chris Ross.
“Moving forward, it’s vital that there is much more public awareness about how advanced and prevalent these phishing schemes have become. It’s also important to recognize the lengths these criminals will go to trick entrepreneurs, finance workers and vulnerable or elderly people into handing over PIN codes or transferring money to false accounts.”
A report from last June claimed that the HMRC had received over 2.6 million phishing reports from the public since the 2016-17 financial year.
Backed by the National Cyber Security Centre (NCSC) the tax office has been taking strides to improve resilience against such attacks.
Thanks to switching on DMARC with the strongest p=reject policy it’s said to have blocked hundreds of millions of phishing scams, while a report in 2018 claimed it had been able to deactivate tens of thousands of phishing sites.