In some ways, HMRC has had a “good” pandemic. While the government’s refusal to provide financial assistance to Limited companies was, in our view, disgraceful, HMRC did step up to the plate when it came to getting their tech right for the other schemes the government did provide, to help the self-employed via the Self-Employed Income Support Scheme (SEISS) and to support companies and their employees more generally via the Coronavirus Job Retention Scheme, aka furlough. Given that the public sector has a somewhat chequered record of delivering IT projects quickly and successfully, we have to acknowledge that HMRC has done a sterling job here. And the good news is that they are not standing still…
We have written several times on the subject of cyber-crime and how criminals pose as HMRC to gain access to people’s money. It has been a problem for a long time and it got worse during the pandemic. Fraudsters devised new methods of targeting the self-employed last year, with a view to getting into the money sole traders received from the government via the SEISS. They also sought to exploit the Job Retention Scheme, using phishing attacks that looked highly plausible, seemingly coming from a bona-fide HMRC email address. As an aside, one of the quickest ways to check if a seemingly honest email is in fact from HMRC is to gently click on the sender’s email. If it’s dodgy, the sender’s email will invariably (but not always!) make this obvious. For example, a recent article noted that a business had become suspicious after noticing the email he had received was from the address firstname.lastname@example.org, despite its user title being “HM Revenue & Customs.” As a general rule, unless you are absolutely certain, do not open any links or anything you are unsure about. By all means, contact us and we’ll investigate and help you.
In an effort to reduce the risk to its businesses and individuals, HMRC has been training its staff how to become hackers (what it referred to in the IT world as “ethical hacking” or "white hat hacking"). A dozen of their employees went on a training course to become “Certified in the Art of Hacking”, at £15,978 cost to the British taxpayer. Another 11 members of staff went on a six-day boot camp to become “Certified Information Systems Security Professionals”, while two trained to become certified in “Ethical Hacking”, and nine enrolled in an “Introduction to Cyber Security” course. A further seven went on a residential course to become a “Certified Cloud Security Professional,” at a cost to taxpayers of £34,103. In the great scheme of things, this is a pittance and money well spent. Moreover, all HMRC staff – that’s some 9,500 people – had to complete a compulsory course on phishing attacks, which was free of charge.
HMRC (phishing attacks) almost doubled last year. Bear in mind these are only the reported ones, so they are probably only the tip of a very large iceberg. To put some numbers against this, there were more than a million reported attacks in the last tax year, up from fewer than 600,000 in 2019-20 and the UK tax authority is in the top 200 most phished organisations in the world.
Welcome as this is, we can’t stress enough that individual vigilance is the first line of defence against the cyber-criminals. As I said above, if you are unsure of anything, don’t open it!
Vivian Linstrom, M&S Accountancy and Taxation