Hackers continue to exploit business vulnerabilities in the wake of Coronavirus as business owners have been targeted by a new phishing scam that attempts to gain sensitive information, including payment details, by impersonating Her Majesty’s Revenue and Customs (HMRC).

What to watch out for

The scam uses official HMRC branding and graphics to convince victims that their VAT deferral application has been rejected. This follows an initiative by the UK government to help struggling companies during the COVID-19 lockdown to allow businesses to defer VAT payments between March and June 2020 until March 31, 2021.

A false document is also attached which the email claims there are “more details and a full report on your application.” It also shares a one-use password to open the document and suggests the original application has been reshared.

The victim is then redirected to a false website and asked to enter sensitive information such as email, passwords and payment details, which are then harvested by the hacker. At least 100 business owners have so far reported receiving this scam.

This is the latest in a number of phishing scams associated with financial relief measures introduced by the UK government during the COVID-19 pandemic. Others have included an attempt to steal personal and financial details of self-employed workers using the Self-Employment Income Support Scheme (SEISS) and the harvesting of data of UK workers who are expecting COVID-19 tax relief grants.

What action should you take?

If you receive a phishing email, you should follow these steps:

  • Report the email to National Cyber Security Centre (NCSC) by emailing report@phishing.gov.uk
  • Ensure you are using the latest software, apps and operating systems on your phones, tablets and laptops