Coronavirus cyber fraud - Stop: Challenge: Protect

23 June 2020

HMRC Employer Bulletin for June, highlights the increase in cyber fraud and warns employers to be vigilant.

Via text, email or by telephone, Criminals are taking advantage of Coronavirus and the package of measures to support people and businesses announced by the Government by offering bogus financial support or tax refunds. By doing this, they try to obtain financial and personal information or attempt to infiltrate computer systems to embezzle data or demand a ransom.

HMRC has reported that they have detected more than 95 COVID-related financial scams since March, with most of them being by text message. Internet Service Providers have been asked to take down more than 100 web pages associated with these frauds.

The advice from HMRC:

Stop: If you receive a request to make an urgent payment, change supplier bank details, or provide financial information, take a moment to stop and think.

Challenge: Verify all payments and supplier details directly with the company on a known phone number or in person first. If in any doubt, visit GOV.UK for more information on how to recognise if the communication is in fact from HMRC, how to avoid such scams and how to report them. If you think you have received an HMRC related phishing/bogus email or text message, there are also examples of genuine correspondence you can check against published on GOV.UK.

Protect: Contact your business’ bank immediately if you think you have been defrauded and report it to Action Fraud. Use the latest software, apps and operating systems on your phone, tablet, or laptop. Update these regularly or set your devices to automatically update.

Forward suspicious emails claiming to be from HMRC to phishing@hmrc.gov.uk  and texts to 60599.

With a huge number of employees now working from home, the opportunity for criminals to commit computer software service fraud (among other cybercrimes) has increased. To avoid this, employers should offer practical steps to help reduce the risk to the devices used by those remote working.

Practical steps could include;

  • Support employees to use stronger passwords and set up two factor authentications

  • Ensure employees know how to report problems, especially those related to security

  • Create ‘How do I’ guides for new software and tools

  • Use VPNs to allow users to securely access the organisation’s IT services

  • Ensure devices encrypt data while at rest.

Data theft and malware Criminals also try to gain access to business devices or networks by:

  • Sending emails with malicious attachments

  • Exploiting vulnerabilities in operating systems if they are not up to date

  • Trying to get people to click links or visit malicious websites.

Once an employee has access to a business’ owned device, they may install malware or malicious software. Consequences of this may lock the computer, or the data on it might be stolen, deleted, or encrypted until a ransom is paid.

The National Cyber Security (NCSC) website offers information on the steps businesses can take to protect device and operating systems and help educate employees.


The information in this article is accurate at the time of publication. For all the latest information, news and resources on how the COVID-19 pandemic is affecting payroll professions, visit our Coronavirus hub.