Business owners targeted in Covid-19 VAT deferral scam

HMRC scam
(Image credit: Lanop Outsourcing)

Another new email phishing scam produced by hackers purporting to be from HM Revenue and Customs (HMRC) has been uncovered. 

The latest of many recent scamming attempts by criminals is using the omnipresent topic of coronavirus alongside the subject of VAT deferrals to trick you into giving away sensitive data.

Aimed at small business owners, the fake HMRC email attempts to purloin confidential information from ventures struggling to cope with the ongoing effects of the pandemic. HMRC allowed payments of VAT between March and June of this year to be deferred and the scam email pretending to be from the Revenue tries to dupe companies affected into revealing private information including account names, passwords and payment details.

The latest scam was uncovered by accountancy specialists Lanop Outsourcing and features, on the face of it at least, official HMRC branding and imagery. The phishing email begins: “Dear customers, Your request for a deferral of VAT payments due to coronavirus (COVID-19) has been rejected… Summary of reject justification: ‘the claimant is in arrears.”

The email message carries a bogus attachment that features “more details and a full report on your application”. It also comes with a one-use password required to open the document. Attempting to add further legitimacy to the message is the way that it suggests the original application has already been shared with others.

HMRC scam

Anyone tempted to do what the email asks is redirected to a fake website and told to enter sensitive business details. IT commentators are universal in reminding business people, and indeed the wider public that HMRC will never ask for credentials of any kind. You should also double-check the validity of any emails or requests to visit websites that don't look or behave quite right. 

“This scam is one of the most deceitful and realistic phishing attacks we’ve seen since the start of the Covid-19 pandemic, and its veneer of legitimacy is just strong enough that concerned business owners could easily fall into the trap of handing over personal information," noted Shahzad Ali, Managing Director, Lanop Outsourcing.

"In these trying times, a cyber hack should be the least of business owners’ worries, and it’s essential that the source of all significant emails, particularly those purporting to be from a government agency, should be verified before any further action is taken.”

Rob Clymo

Rob Clymo has been a tech journalist for more years than he can actually remember, having started out in the wacky world of print magazines before discovering the power of the internet. Since he's been all-digital he has run the Innovation channel during a few years at Microsoft as well as turning out regular news, reviews, features and other content for the likes of TechRadar, TechRadar Pro, Tom's Guide, Fit&Well, Gizmodo, Shortlist, Automotive Interiors World, Automotive Testing Technology International, Future of Transportation and Electric & Hybrid Vehicle Technology International. In the rare moments he's not working he's usually out and about on one of numerous e-bikes in his collection.