Business owners are being targeted with a new email phishing scam purporting to be from HM Revenue & Customs (HMRC).

The scam, which was uncovered by accountancy outsourcing specialists Lanop Outsourcing, uses official HMRC branding and graphics to convince victims that their VAT deferral application has been rejected.

At least 100 company owners have reported receiving the realistic scam email through Lanop Outsourcing clients.

To aid struggling businesses during Covid-19, HMRC allowed payments of VAT between March 2020 and June 2020 to be deferred until 31st March 2021.

Cyber criminals have used the scheme to dupe business owners into revealing sensitive information, such as account names, passwords and payment details.

The victim is then redirected to a false website

The phishing email begins: “Dear customers, Your request for a deferral of VAT payments due to coronavirus (COVID-19) has been rejected… Summary of reject justification: ‘the claimant is in arrears.”

The email then attempts to convince the recipient of its legitimacy by attaching a false document with “more details and a full report on your application,” whilst also sharing a one-use password required to open the document and suggesting that the original application has also been reshared.

The victim is then redirected to a false website and prompted to enter certain sensitive information, such as email, passwords and payment details which is then harvested by the hacker.

The attacks have a “veneer of legitimacy”

Shahzad Ali, Managing Director, Lanop Outsourcing, comments:

“This scam is one of the most deceitful and realistic phishing attacks we’ve seen since the start of the Covid-19 pandemic, and its veneer of legitimacy is just strong enough that concerned business owners could easily fall into the trap of handing over personal information.”

Socially engineered service impersonation attacks using trusted brands is a growing practice which can be a very successful method of attack, according to cyber security expert Steve Peake, UK Systems Engineer Manager at Barracuda.

“Attackers frequently rely on this form of attack as it delivers an instant level of trust with the email recipient, with many organisations lacking the layered security approach that modern day email security requires,” Peake said.