Last month, one of my constituents mentioned that, in the preceding weeks, he’d received a number of e-mails purporting to come from Her Majesty’s Revenue and Customs (HMRC) or the Inland Revenue.
He told me that these e-mails appeared legitimate, complete with HMRC logos and address details – quite unlike the ones from ‘Nigerian bankers’ promising 20% of the millions of dollars trapped in a bank account if only he handed over his own bank account details. Nevertheless, he smelled a rat, not least because every e-mail suggested he was entitled to a tax refund and, as a matter of policy, HMRC never send notifications about refunds or rebates by e-mail.
As a result, he forwarded each e-mail to HMRC’s phishing team at firstname.lastname@example.org Reassuringly, within 24 hours in each case, he received an e-mail from HMRC confirming that the original communication had been a phishing scam. In this regard, HMRC distinguished itself from the social media moguls to whom reports of suspicious e-mails appear to disappear into a massive cloud only to be used for more data aggregation purposes, only of financial benefit to themselves.
As a result of this discussion, I thought I’d ask some questions about the extent of attempted scams – and some must be successful, otherwise the criminals wouldn’t keep doing it – and what action was taken as a result of those reports. So, I tabled some written questions to the Chancellor of the Exchequer, some of which were answered by one of his Ministers, Mel Stride.2
First, let me outline what the answers revealed.
In just the first 8 months (April to November) of this financial year, HMRC received reports of 636,789 suspicious e-mails. 28,639 text messages, and 44,435 phone calls asking for personal information or threatening a lawsuit. Given that these numbers just reflect reports to HMRC, we can only speculate about how many scam e-mails, text messages and phone-calls were actually made.
The Minister was also able to tell me that HMRC’s dedicated Customer Protection team targeting scams has:
- reduced reported HMRC-branded phishing texts by 90% due to innovative work with network operators and the National Cyber Security Centre (NCSC).
- requested removal of over 14,000 websites during financial year 2017/2018.
- blocked half a billion phishing emails through technical controls since 2016.
- published guidance on GOV.UK on how to identify scams that has been visited 1.4 million times during financial year 2017/2018.
- responded to nearly 1 million phishing referrals in the same period.
- recovered over 130 websites infringing the HMRC brand, including those which host low value services such as call connection sites, saving customers in excess of £2.4M in charges to date.
Well, all that looks impressive and welcome, but given the scale of the continuing criminality, there is clearly much more to do. So, I wanted to know whether the number of HMRC staff being deployed to investigate phishing scams had been cut or increased.
And I was also interested in how successful HMRC has been in bringing the criminals to book. How many individuals had been identified, charged and convicted as a result of HMRC’s investigations?
And that’s when the Minister suddenly decided to go shtum.
Mr Stride wrote:
“However, the information required to answer (these questions) cannot be provided as releasing it may prejudice the prevention or detection of crime. The information could be used by individuals for criminal activity and departmental IT systems could be exposed or left vulnerable to interference or attack.
Doing so could give criminals valuable insight into HMRC’s capabilities and processes in this area and cybersecurity in general, opening up the Department and the wider public to more informed and effective scams and attacks. While publishing the information requested could, on the face of it, reassure the public that HMRC is suitably resourced to handle risks posed by cybercrime, on balance it is not in the public interest.”
Would I ask the Minister to reveal information which would compromise investigations, or prejudice the prevention or detection of crime? Of course, I wouldn’t.
Would answers to my questions ‘give criminals valuable insight…’? Almost certainly not.
If I asked the Home Secretary about the numbers of people nationally – or asked the Police and Crime Commissioner about the numbers of people locally – who had been (a) charged and (b) convicted of the offences of murder, rape, burglary, vehicle theft etc, they would not only be able to tell me, but they would tell me. Why is information about HMRC and cyber-crime any different?
I don’t think it is and I will be asking further questions.
However, I have my suspicions about why the Minister doesn’t want to answer the questions properly and transparently.
My first suspicion is that the number of individual criminals brought to book – identified, charged and convicted – is embarrassingly small in comparison to the scale of the criminal activity.
I don’t under-estimate the size of the challenge given the nature of the offences, how they are committed and the likelihood that many are based abroad. But, it is only possible to address the problem if there is an acknowledgement of the size and nature of the issues.
My second suspicion is that there has been a cut in the number of HMRC staff who are targeting scams of this sort.
In 2016, the National Audit Office reported that there were about 500 staff working with “high net worth” individuals (those with assets over £10m) on their tax affairs. It employed another 500 or so staff to investigate the tax affairs “affluent” taxpayers (those with an income over £150,000 a year, or assets over £1 million). These two groups were estimated to account for around £2bn in lost tax revenue. [Incidentally, according to a 2017 report, the Department for Work and Pensions (DWP) employed around 4,000 staff to deal with benefit fraud, then also estimated to be about £2 billion.]3
HMRC staff numbers have been consistently falling since then. It has been reported elsewhere that those cuts have included the number of staff working on tax evasion by both individuals and companies. I wouldn’t be at all surprised if the government has also cut the number of HMRC staff committed to tackling cyber-crime.
I suspect that Ministerial reluctance to answer these questions is nothing to do with the potential of answers to compromise investigations, but everything to do with avoiding embarrassment and scrutiny about the government’s ideological decisions on cutting the numbers of civil servants, whilst failing to tackle tax evasion and cyber-crime.
1 Find out more at https://www.gov.uk/government/publications/phishing-and-bogus-emails-hm-revenue-and-customs-examples/phishing-emails-and-bogus-contact-hm-revenue-and-customs-examples