Last reviewed 25 September 2020

A scam uncovered by accountancy specialists Lanop Outsourcing involves business owners receiving an email claiming to be from HM Revenue & Customs (HMRC).

At least 100 company owners have reported receiving the realistic scam email which uses official HMRC branding and graphics to convince victims that their VAT deferral application has been rejected.

During the early stages of the pandemic, HMRC allowed payments of VAT between March and June 2020 to be deferred until 31 March 2021. Cyber criminals have used the scheme to trick business owners into revealing sensitive information, such as account names, passwords and payment details.

The phishing email begins: “Dear customers, Your request for a deferral of VAT payments due to coronavirus (Covid-19) has been rejected… Summary of reject justification: the claimant is in arrears.”

The email then attempts to convince the recipient of its legitimacy by attaching a false document with “more details and a full report on your application,” whilst also sharing a one-use password required to open the document and suggesting that the original application has also been reshared.

The victim is then redirected to a false website and prompted to enter certain sensitive information, such as email, passwords and payment details which is then harvested by the hacker.

Steve Peake, UK Systems Engineer Manager at Barracuda Networks, said: “This phishing attack is the latest in a series of HMRC-branded email scams, designed to trick business owners into handing over confidential data. With many companies struggling due to the disruption caused by the Covid-19 outbreak, we have seen a real uptake in the number of Covid-related attacks targeting business owners and employees.”

In fact, he continued, there was a 667% spike in coronavirus-related spear-phishing attacks from February compared to March, during the start of the UK’s lockdown.

Mr Peake urged business owners and entrepreneurs to take email security seriously, ensuing the right systems are in place to highlight and block potentially malicious or suspicious emails before they reach the inbox.