The threat of Business Email Compromise (BEC) scams during tax season in the United Kingdom remains a threat to not only those individuals who begin to prepare their taxes, but for the businesses who employ them as well.
Business Email Compromise scams have been associated with tax season. As we head into the 2022 tax season, it’s a good time to remind employees how to recognize these emails fall prey to these scams.
In recent years, HMRC has issued alerts that cybercriminals are using executive impersonation email scams. Even as 2021 came to end, they warned citizens to beware of unsolicited text messages, and that tax scams are a year-round business for thieves.
“Our advice is – never let yourself be rushed. If someone contacts you saying they are from HMRC, wanting you to urgently transfer money or give personal information, be on your guard. HMRC will never ring up threatening arrest, only criminals do that. Contacts like these should set alarm bells ringing, so take your time and check HMRC scams advice on GOV.UK,” Mike Fell, HMRC’s Head of Cyber Security Operations, said.
Executive impersonation Business Email Compromise (BEC) or Business Email Spoofing (BES) scams consist of cleverly manufactured emails designed to look legitimate – often using lookalike domain names to send the email – and have the appearance of coming from an executive. The email often asks for internal data that only a high-level executive can typically ask for and receive without additional checks and balances.
During tax season, the email often targets human resources or payroll managers, and they specifically request employee files. Cybercriminals comb LinkedIn and other social media sites to find the information they need to specifically target an individual employee, such as in this example:
The United Kingdom’s Her Majesty’s Revenue and Customs (HMRC) Self Assessment Tax Forms are distributed in January every year by organizations to both employees and to the HMRC, reporting the employee’s annual wages and the amount of taxes withheld from a paycheck over the past year. The form also conveniently includes pertinent information needed to file a basic tax return – including the employee’s National Insurance Number.
The HMRC provides a valuable resource page for understanding these types of attacks and who to contact if you or your organization have fallen victim to disclosures of personal information: https://www.gov.uk/report-suspicious-emails-websites-phishing/report-hmrc-phishing-emails-texts-and-phone-call-scams.
Beyond Tax Scams
Though there is a heavy focus on tax scams during the initial months of tax season in the U.K., BEC scams can be used in many ways. These focused attacks attempt to compromise data or steal money by socially engineering an employee into taking an action, sometimes by sending a wire transfer or replying to the email with data. In other cases, employees are tricked into opening an attachment that contains malware. Indeed, ransomware is often distributed via targeted, customized emails, and all it takes is one employee to open the attachment. Human resources employees may be targeted more heavily, because they routinely receive emails from external email addresses with .pdf attachments.
How to Protect Your Organization from Tax Scams
- Employee education, awareness and empowerment are key to fighting social engineering tactics. Each employee must understand that they are the first line of defence and should question any out-of-the-norm communications.
- Employees (and all consumers in general) should be suspicious of pressure to take urgent action or action outside of normal business practices.
- Train team members to hit “forward” instead of “reply” so they are forced to type or select the correct “To:” email address.
- Pre-establish internal checks and balances to prevent one person from being able to send a wire transfer or email sensitive information such as an entire employee roster.
It is best practice that your business take a proactive step to prevent, detect, and mitigate the damage of fraudulent phishing and malware activity against your company here.
The HMRC urges victims of tax scams and financial loss to report to Action Fraud.
Additionally, during tax season often there are other HMRC related scams in the form of phone calls demanding payment for a tax return. The HMRC will never demand payment over the phone, call you for personal information, or threaten to bring in local law enforcement for non-payment arrest. Do not give out any personal information over the phone when you receive a call of this nature, or if the matter is made to sound urgent. Call the HMRC by dialing 18001 then 0300 200 3300 for help.
Author: Stefanie Wood – Director, Product Manager – Online, Brand, Fraud; OpSec Security