Business owners are being targeted with a new email phishing scam purporting to be from HM Revenue & Customs (HMRC).

The scam, which was uncovered by accountancy outsourcing specialists Lanop Outsourcing, uses official HMRC branding and graphics to convince victims that their VAT deferral application has been rejected.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

At least 100 company owners have reported receiving the realistic scam email through Lanop Outsourcing clients.

To aid struggling businesses during Covid-19, HMRC allowed payments of VAT between March 2020 and June 2020 to be deferred until 31st March 2021.

Cyber criminals have used the scheme to dupe business owners into revealing sensitive information, such as account names, passwords and payment details.

The victim is then redirected to a false website

The phishing email begins: “Dear customers, Your request for a deferral of VAT payments due to coronavirus (COVID-19) has been rejected… Summary of reject justification: ‘the claimant is in arrears.”

The email then attempts to convince the recipient of its legitimacy by attaching a false document with “more details and a full report on your application,” whilst also sharing a one-use password required to open the document and suggesting that the original application has also been reshared.

The victim is then redirected to a false website and prompted to enter certain sensitive information, such as email, passwords and payment details which is then harvested by the hacker.

The attacks have a “veneer of legitimacy”

Shahzad Ali, Managing Director, Lanop Outsourcing, comments:

“This scam is one of the most deceitful and realistic phishing attacks we’ve seen since the start of the Covid-19 pandemic, and its veneer of legitimacy is just strong enough that concerned business owners could easily fall into the trap of handing over personal information.”

Socially engineered service impersonation attacks using trusted brands is a growing practice which can be a very successful method of attack, according to cyber security expert Steve Peake, UK Systems Engineer Manager at Barracuda.

“Attackers frequently rely on this form of attack as it delivers an instant level of trust with the email recipient, with many organisations lacking the layered security approach that modern day email security requires,” Peake said.