March 5, 2019

Good day, welcome to another bulletin from Breaking Scams…

Scam, just in…

Just when you thought it was safe to go back into your Inbox again, another HMRC scam pops up. We’ve discussed tax scams in an earlier post. However, one thing I will say is that these types of scams don’t seem to be wearing thin for the cybercriminal, even if they are for us.

Let’s look at this week’s scam post, again piggybacking on the recognisable brand of HMRC.

The email, shown below, uses the usual mix of tricks to get you to do the bidding of the scammer behind the email. The email uses a combination of information to trick you into acting in a complicit manner. Firstly, it signals that you have just signed up for Government Gateway (more on that later). Then it hits you with the old “we owe you lots of money” hook.

HMRC Government Gateway Scam

You are left thinking, “oh, did I sign up for a government service?” “Maybe I need to check this”. Let’s face it, we sign up for so many online accounts it can be hard to keep track. The average UK consumer has 118 online accounts and the average business user 191 passwords.

Then comes the trick in the tale – the link. The email lets you know you are owed several hundred pounds and if I just click on the link and log in you will be refunded. Simple. Thank you, HMRC. Of course, all is not as it seems.


Identity Theft is a Big Deal

The Government Gateway mentioned in the email is a government system that allows you to create a log in. This then gives you access to various local and national UK government services. The log in uses a two-factor system. What does this mean? Log in credentials are based on the idea of ‘factors’. You have single, two, and multiple factors. Single-factor means you use one type of credential, usually a password. Two-factor means you have a password PLUS another factor, usually something like an SMS code. Multiple factor is more than two-factors; you get the idea.

If you click the phishing link in the scam email, you are taken to a spoof site. This looks an awful lot like the log in screen for Government Gateway. If you enter your Government Gateway ID and password, then click submit, those credentials will be sent to the scammer who could use them to access and use government services in your name. However, the Government Gateway uses a second-factor when you log in. This helps prevent this type of phishing.

This is good. But still, the scammer would now have your Government Gateway ID and a password. A password which you may use in one of your many other online accounts.

The UK Government does have another more robust mechanism for access to government services, called Verify. Verify requires that you go through a process to verify you really are whom you say you are. This process involves showing identity documents, like a passport and other information such as financial data. It isn’t the easiest way to get a digital identity and less than 50% of people get verified. However, it does use two-factors to log in. So, if a scammer tried to steal your verified identity, backed by two-factors, it’d be much harder – not impossible, but more difficult.

Currently, identity theft is a major problem. CIFAS recorded the highest number of ID fraud ever in 2017. ID fraud and theft has seen an increase of 125% in the last ten years.


One Last Thing – Phishing and Vishing


The HMRC scam email is pretty obvious if you are security aware. The only way to stem the flow of these emails is to increase your awareness of how the scammers operate. However, as always, cybercriminals are chameleons of the scam. Not content with trying to scam us using phishing emails, the HMRC scammers are also using the voice version of the scam – ‘vishing’. HMRC has had over 60,000 reports of voice phishing phone calls in the last 6-months.

If you receive an email that looks like an HMRC spoof, send it to HMRC’s phishing team at phishing@hmrc.gsi.gov.uk before deleting it.

Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below:

Yet another HMRC phishing scam

 Another HMRC phishing email is doing the rounds. The email attempts to get you to log in using your Government Gateway user ID and password.

The email promises you a large refund of owed tax.

Then asks you to click a link to log in and start the refund process.


Don’t forget to share this with your colleagues and friends and help them stay safe.

Let’s keeping breaking scams!

Let the Defence Works help your business avoid cyber security breaches – sign up for a free security awareness training demo, today.

Share this: