By Tom Davison, technical director – international at Lookout

Prior to the current pandemic, receiving any correspondence from Her Majesty’s Revenue and Customs (HMRC) was met with an air of caution. I don’t know about you, but my stomach always tightens up when I receive correspondence regarding taxes.

As the organisation for handling the nation’s taxes, state payments, minimum wage and national insurance, you might question why people don’t trust messages from HMRC. The reason – and it’s a well-founded one – is that there’s a high probability a message you receive from “HMRC” is a scam. In fact, during the 2018/19 tax year, there were 900,000 reported HMRC tax-related scams with the vast majority falsely purporting the victim was owed a tax refund.

In light of the current global situation, many Brits are now bombarded with HMRC scams connected to the coronavirus. Some are asked to transfer their pension, asked to invest in high-return investments opportunities or buy health insurance supplements, while others are targeted by messages that supposedly provide access to funding through the HMRC’s Coronavirus Job Retention Scheme. Since the lockdown began in early March, HMRC has asked the UK’s leading internet service providers to take down as many as 300 COVID-19-related scam and phishing sites. This is on top of the thousands of HMRC scams inundating businesses’ finance and HR departments.

Given how successful these scams can be, the UK Government has provided some much-needed guidance and support. But this is not enough. The additional challenge at this moment is that businesses and workers are operating remotely. In normal circumstances, finance and HR workers have the opportunity to confirm information with each other in person. They are under the protective perimeter of the office space. Now, with the added anxiety of trying to stay safe amid the pandemic, homeworking has created the perfect environment for cybercriminals to go on the attack.

There is also the added risk factor that, while staying at home, we are more likely to use smartphones and tablets to help us fulfil work duties, such as responding to emails. As data shows, individuals are three times more likely to be duped by a phishing link or scam when using a mobile device than when using a desktop or laptop computer. This is one of the key reason’s criminals use SMS text messages as a primary attack method when attempting to dupe unsuspecting victims with fake HMRC tax refund claims. Due to the smaller screen size and simplified interface, malicious hyperlinks are much harder to spot on a mobile device. We also tend to trust our mobile devices more, meaning untrained eyes can easily miss the tell-tale signs of a potential scam.

Furthermore, in the hurry to mobilise remote workforces, enterprises are more lenient of employees using personal devices for work. Storing and processing personal and corporate data on the same device in this way presents increased serious security risks, especially when you consider the number of applications installed on any given device. Messaging (e.g., WhatsApp) and social media (e.g., Facebook) apps are where phishing scams are likely to take place and prove effective. With more personal mobile devices accessing corporate information, there is a greater likelihood that an employee will be phished, and their company’s network will be compromised. This has been compounded by the emergence of mobile-first SMS-based phishing attacks, which are known to be undetectable by common email anti-phishing defences.

During a time of mass misinformation, when clarity is greatly needed, individuals must remain vigilant and understand how they can protect themselves. In the case of HMRC, they should know that the agency would never contact taxpayers about refunds via telephone, SMS or email and they never involve third parties in the process.

Building user awareness is very important. Alerting individuals to the potential dangers of opening unknown links or attachments can make the difference between someone falling for a scam or avoiding it. For businesses worried about mobile device threats, they need to have effective phishing and content protection defences deployed. Organisations must have a comprehensive mobile security solution that can provide instant visibility into threats.