A cyber security professional said that generally phishing is classed as a ’social engineering attack,’ because it attacks a person rather than a system.
HMRC has lost £47 million after a phishing scam hit 100,000 pay-as-you-earn (PAYE) tax accounts in an organised crime incident which began last year.
Following the exposure of the breach, HMRC said it has taken action to protect those accounts by locking them down, deleting login credentials to prevent further unauthorised access, and removing any incorrect information from tax records.
The authority said that the attack affected 0.22 percent of the PAYE population.
An HMRC spokesperson told The Epoch Times on Thursday: “We’ve acted to protect customers after identifying attempts to access a very small minority of tax accounts, and we’re working with other law enforcement agencies both in the UK and overseas to bring those responsible to justice.
“This was not a cyberattack—it involved criminals using personal information from phishing activity or data obtained elsewhere to try to claim money from HMRC.
Related Stories
“We’re writing to those customers affected to reassure them we’ve secured their accounts and that they haven’t lost any money.”
HMRC added that while it is not in a position to give further details for operational reasons, they confirmed that arrests have been made.
Information ‘Not Taken From HMRC’
“Phishing” is when cyber criminals use scam emails, text messages, or phone calls which appear to be from trusted organisations to trick victims into taking a specific action, such as clicking on a link taking them to a website containing malware, or handing over personal information.
The revelations were made public on Wednesday via the HMRC website, at the same time senior figures from the tax agency were giving evidence to the Treasury Committee.
John Paul Marks, the chief executive of HMRC, told MPs that criminals had used personal data they had obtained through phishing to masquerade as legitimate customers “to create PAYE accounts to pay themselves a repayment and/or access an existing account.”
Angela MacDonald, HMRC’s deputy chief executive and second permanent secretary, further clarified that information had been taken from other environments and that “it had not been taken from HMRC.”
File photo of a woman using a laptop as she holds a bank card, dated March 30, 2020. Tim Goode/PA Wire
MacDonald told the committee: “Lots of people who would just ‘Pay As You Earn’ haven’t got an online account because they have no reason to go in to one. So for many instances, the customers were not realising that somebody else was in their account.”
However, she added that there were instances of live accounts “where the criminals had managed to get their details and were logging in as the customer.”
Asked to confirm how much money was taken, MacDonald replied: “They have managed to extract free payments to the tune of £47 million. That is a lot of money, and it’s very unacceptable. We have in the last tax year protected £1.9 billion worth of money which sought to be taken from us by attacks.”
‘Social Engineering Attack’
HMRC officials reiterated during the committee meeting that what occurred was not a cyberattack, with MacDonald saying: “We have not been hacked. We have not had data extracted from us.”
Penetration tester Shaun Webber, who simulates cyberattacks to identify vulnerabilities in systems, told The Epoch Times that generally phishing is classed as a “social engineering attack,” because it relies on attacking the person rather than a system.
“However, there is overlap, because during phishing, someone might be delivering a payload which would exploit a particular vulnerability,” he said.
“It’s definitely one of the most effective ways of getting that initial access,” the cybersecurity professional said, and went on to explain how phishing might be used to penetrate a business.
“Companies spend a lot of time and effort securing their external, internet-facing presence, so there’s often no real way of gaining access to the network from an external perspective” because it is “segmented away from the internal network.”
He said that when a criminal sends an employee a phishing email, that employee is already in the internal network, giving the criminal an effective way of getting an initial foothold into a company’s internal network.
Webber said: “This is why we have things like zero trust architecture, where even if someone does get into the internal network, it’s not just wide open. You still have to reauthenticate for each service you access.”
“For example, if you’re suddenly logging in from a different IP address than what you normally log in from, the account would automatically be asked for additional authentication, or be blocked,” the cybersecurity professional said.
UK’s Cybersecurity Resilience
The phishing attack on HMRC comes at a time of broader scrutiny over the cybersecurity resilience of British institutions and businesses.
