It’s that time of year where UK taxpayers have to file their self-assessment tax returns and, in many cases, pay their tax bills. This makes it a boom time for scammers targeting tax payers. They email and text their victims claiming to be from HMRC and telling them they are due a tax refund. These phishing texts and emails are effective every year. After all, who doesn’t think they’ve paid too much tax.
In the last 18 months, HMRC has been getting protective against scam emails and last year started to target scam text messages. Its latest campaign, part of Take Five to Stop Fraud, has seen HMRC claim to have blocked 90% of the most convincing texts. This, of course, raises the question of what was the threshold to be a “convincing text.”
HMRC’s Director of Customer Services, Angela MacDonald, said: “HMRC is focused on becoming the most digitally advanced tax authority in the world, and a big part of that relates to keeping our customers safe from online scammers. As email and website scams become less effective, fraudsters are increasingly turning to text messages to con taxpayers.
“But as these numbers show, we won’t rest until these criminals are out of avenues to exploit. We have made significant progress is cutting down these types of crime, but one of the most effective ways to tackle it is still to help the public spot the tell-tale signs of fraud.”
What has HMRC stopped?
The scam texts tell the victim they are due a tax refund. The texts include a link to a website which is run by the scammer. Once the user clicks on the link the site will ask for various details including bank accounts. Those details are then used to steal money from the victim and carry out identity theft.
Some of the sites go further. They install mobile malware on the victims device. This then spreads across other systems that they connect to. For users who use their device for business and personal use, it can lead to work credentials being exposed.
The HMRC program scans large numbers of texts that claim to have come from HMRC. Those texts are then blocked from being delivered to the phones of the victims. According to the press release:
“Since the pilot began, there has been a 90% reduction in customer reports around the spoofing of these specific HMRC-related tags on SMS and a five-fold reduction in malicious SMS reports. The initiative has helped reduce reports of these scams from over 5,000 in March 2017, before the new programme was introduced, to fewer than 1,000 in December 2017. This progress comes after similar successes in tackling fraudulent emails and websites.
“In the last 12 months, HMRC has initiated the removal of 16,000 malicious websites, meaning even if the texts are delivered, the associated phishing website is likely to have been removed.”
In addition to blocking texts and removing these malicious websites, HMRC claims to have stopped over 300 million phishing emails.
What does this mean?
Ciaran Martin, head of the National Cyber Security Centre, has previously identified fake emails pretending to come from the GOV.UK domain as a serious problem. Despite crackdowns and the blocking of large numbers, the emails and texts just keep coming.
The question for HMRC is what can it do to improve the awareness of the problem? There was no TV, radio or newspaper campaign to alert people. Details of the Take Five to Stop Fraud have failed to get through to the public. ET was unable to find anyone who was aware of this campaign before we asked them. This indicates a major failure of HMRC to get the warning messages out to potential victims.
This latest announcement is a good news story for the security teams trying to protect UK citizens. It shows that they are able to detect and stop a percentage of the fake emails and texts being sent. However, there are questions that remain. What total percentage of texts and emails were blocked? What constitutes a convincing text? Why did it not do more to raise user awareness?