HMRC Phishing Season Opens in January – Consumers Overrun with Scams

By   ISBuzz Team
Writer , Information Security Buzz | Jan 06, 2016 07:00 pm PST

New research highlights attitudes to personal security on the Internet in the lead-up to online tax return self-assessment deadline at end of January

As ten million people prepare to complete their tax returns online in January, British citizens are being bombarded with scams. Forty per cent have received phishing emails which appeared to be from HMRC, and identity fraud is rife – with many people still unaware of the potential risks involved, according to new research from digital authentication provider, MIRACL.

The research, which surveyed the attitudes of 1,000 UK consumers about their personal security online, revealed that a fifth of UK consumers, or their close friends or family, have been the victim of data theft or identity fraud.

But despite these clear risks, there is still a lack of awareness among many in the UK who seem to have no idea how dangerous this kind of data theft can be. Of those who have filled in a tax return online, almost half (48%) are not at all worried about the potential risks of losing their personal and financial information.

In addition, when asked which online activity made them most nervous about their personal and financial information being stolen, the majority were most worried about shopping online (51%), with just over a third most concerned about online banking (36%), and only 14% most concerned about using online government services, such as applying for a driving licence or filling in a tax return.

Brian Spector, CEO at MIRACL, explains: “Consumers are surprisingly laid back about the potential risks of filling in their tax returns online.  It’s true that you could lose money if your financial details were stolen while online shopping, but the volume of data involved in filling out a tax return online makes this a far greater risk. With all the financial data involved in a tax return, a criminal could potentially take out a mortgage in your name. Data theft and identity fraud is a multi-billion dollar business on the dark web, and so consumers must be vigilant.”

This lack of awareness could be because people are being lulled into a false sense of security, by thinking that using stronger passwords will protect them. Over two-thirds of those surveyed said that they create stronger passwords in order to keep their personal and financial data safe online, such as using a combination of letters and numbers, or substituting numbers for letters.

High profile data breaches such as the TalkTalk hack have made most people (61%) feel more nervous about providing their personal and financial information online, and as a result, the majority (51%) think it is only a matter of time before they are affected.

The research found that most people would welcome the chance to use tighter security to protect themselves when using online services. Three-quarters (77%) said that they would feel better about providing their personal and financial details online if the website had stronger security procedures, such as multi-factor authentication.

Spector continues, “High profile data breaches such as TalkTalk understandably make people nervous about their personal security online. But we don’t have to be part of the weekly announcements about mass data breaches. The underlying issue is that the username and password system is old technology that simply cannot secure the deep information and private services that we all store and access online today. By contrast, new, secure methods of two-factor authentication can eliminate password risk and at the same time be user-friendly.”

In December, MIRACL announced that Experian [LSE: EXPN] had selected its identity technology to provide highly secure authentication to millions of UK citizens using GOV.UK Verify, the new online portal for UK citizens to use government services online, such as renewing your driving licence or filling out your tax return.  This involves a user-selected 5 digit PIN (something they know) alongside a software token which automatically installs in their mobile or desktop browser (something they have) when registering.  Both factors must be present in order to create a key that drives a “zero knowledge proof authentication protocol” against MIRACL’s M-Pin Server. The server stores no passwords, PINs or authentication credentials of any kind, and therefore cannot be compromised.

Spector continues, “Database hacks, password reuse, browser attacks and social engineering can all be a thing of the past in the authentication space. Customers are rightly demanding to be protected when they submit their valuable personal information on the web, and online services need to respond appropriately by contributing to the restoration of trust on the internet and removing the password from their systems altogether.”

[su_box title=”About MIRACL” style=”noise” box_color=”#336588″]MiraclMultiprecision Integer and Rational Arithmetic C Library – the MIRACL Crypto SDK – is a C software library that is widely regarded by developers as the gold standard open source SDK for elliptic curve cryptography (ECC).[/su_box]

[su_box title=”About GOV.UK Verify” style=”noise” box_color=”#336588″]GOV.UKOne of the UK government’s flagship digital projects, GOV.UK Verify is being built and developed by the Government Digital Service (GDS) and will move from beta to live in Spring 2016. Using the service, individuals are able to select from a range of certified companies who will associate a verified digital profile to their real world identity, authenticating them on behalf of GOV.UK.[/su_box]