HMRC is warning taxpayers to be aware of yet another round of phishing emails and text messages – this time involving fake tax rebates. Seemingly triggered by the end of the 2017/18 tax year, criminals are sending emails or text messages claiming that the recipient is owed a tax refund – often a sizable one. The message will usually contain a link to a virtual clone of HMRC’s site where they will be asked to enter bank account or payment card details to receive payment. These details will then be used to drain the taxpayer’s account.
According to the Financial Secretary to the Treasury, Mel Stride MP, whose brief includes overseeing the Revenue, the surge in rebate related fraud is seasonal: “We know that criminals will try and use events like the end of the financial year, the self-assessment deadline, and the issuing of tax refunds to target the public and attempt to get them to reveal their personal data. It is important to be alert to the danger,” he said, adding that HMRC will inform taxpayers of overpayments by post.
Preying on the anticipation of getting hard-earned money back from the tax man is the mirror image of a scam frequently seen shortly after tax payment thresholds, when scammers will impersonate HMRC debt collection agents, demanding immediate payment of a large debt. In these cases payment is sometimes demanded in a form other than money – frequently vouchers for online stores such as iTunes or Amazon. In other cases the victim is prompted to call a number immediately (often under threat of prosecution) and then browbeaten into providing bank details over the phone.
Top tips to protect yourself and your business include:
Stop and think – Is it likely that you owe or are owed money? When you or your accountant completed your Self Assessment or company tax return was there a rebate due? In most cases for a contractor this will not be the case.
Take advice – If you receive a genuine rebate or demand, your accountant will be able to tell you what it is for. Alternatively call HMRC using a number you google not the one in the email or text, and ask if the message is real.
Remember that telephone numbers can easily be faked. You should never trust the number you see on your telephone display, even if it looks like an official HMRC number.
If you receive a suspicious cold call, end it immediately. Call HMRC directly to check if it was a genuine call – you can confirm the official call centre numbers on GOV.UK.
You should report these incidents on the Action Fraud website, or you can call them on 0300 123 2040 (please note this number will be charged at your normal network rate). They are open Monday to Friday 09:00 – 18:00. You can also report the full details of the scam to HMRC (date, time, phone number used and content of the call) using email email@example.com
With less than 3 weeks until Europe’s huge shake-up of data protection laws comes into force, 40% of company directors do not think their firm will be GDPR compliant before the 25th May deadline. The figures are revealed in a survey carried out by the Institute of Directors (IoD), which also shows that business leaders’ confidence in their ability to comply has actually declined as the change draws nearer.
The General Data Protection Regulations which will apply not just to firms based in the EU but to any organisation that holds data on EU citizens, are the first major data protection rules of the digital era, replacing rules written in the 1990s, before the rise of the internet and social media. A requirement for “security by default and design” on systems that store personal data has meant that for many firms GDPR compliance is as much an IT overhaul as a legal compliance issue. Changes to rules on consent and how consumers can request access to their data mean that many companies will need to change significant areas of their operations.
Thanks to the efforts of an army of contractors and in-house teams, most firms have managed to prepare for the changes. The majority (59%) of directors report that they are “confident” or “very confident” that their organisation is in a position to comply with GDPR. The remaining 40% of firms could find themselves hit hard by failing to get to grips with the new rules, with fines for breaches of up to €20 Million, or 4% of global turnover.
Perhaps the most shocking revelation from the IoD’s results is that 17% of company directors are not even sure they understand what is required of them under the new regulations, up from 16% in August of last year. This could be because firms initially underestimated the scale of changes needed for compliance, suggests the Iod’s head of external affairs, Jamie Kerr: “GDPR has been a long time coming for businesses, but it is only proving more formidable as the deadline looms and companies drill down into the detail.”
Mr Kerr notes that it is often smaller businesses that are struggling to get up to speed with the new changes, and has called for government to focus its efforts on reaching these companies. “The Government’s immediate priority should be to ensure the ICO has the resources it needs to make a big final push to assist small businesses in the run up to this month’s deadline,” he said.
The ICO, which is responsible for enforcing data protection rules in the UK, has provided online factsheets and checklists designed to help businesses comply with the new rules. It has also said that it will reserve the power to levy huge fines for those cases where a firm has made no effort to comply. If they want to avoid falling into this group, those bosses who are unaware of the requirements will need to get to work on compliance.
Manufacturing has become the most attacked industry sector in the UK, representing almost half (46%) of all cyber-attacks in 2017 – more than double that of attacks on manufacturing across EMEA. The figure is among the findings the 2018 Global Threat Intelligence Report (GTIR) from NTT Security, a specialised security company. The majority of attacks on UK manufacturers came from China, representing 89% of attacks on this sector.
Technology organisations, in second place, were the target of 23 per cent of attacks in the UK, with business and professional services in third place with 10 per cent of attacks. While the finance industry was the most attacked sector worldwide with almost a quarter (23%) of all attacks, up from 14% in 2016, it was fourth in the UK with 8%, followed by government at 5%.
NTT Security analysed data from over 6.1 trillion logs and 150 million attacks for the GTIR, highlighting global and regional threat and attack trends based on log, event, attack, incident and vulnerability data from NTT Group operating companies.
“We’ve seen manufacturing becoming an increasingly attractive target to attackers in recent years and we believe this is for a number of reasons,” explains Jon Heimerl, senior manager of the Threat Intelligence Communication Team, Global Threat intelligence Centre at NTT Security.
“As manufacturers experience the benefits of automation and the emergence of interconnected and intelligent production systems, they are realigning their operational models to take advantage of these technologies. More than 50 per cent of manufacturers have now adopted Industry 4.0 and Smart Manufacturing, the latest phase in the evolution of manufacturing technology. The lines between traditional and digital manufacturing are blurring, where high value manufacturing and advanced technologies are key for global competitiveness. As a result, they have become more attractive to attackers who see them as a prime target for the theft of IP, for the disruption of operations, and for hijacking networks to launch an attack into other organisations. There’s no one thing driving this trend, but a whole host of interconnected reasons.”
China was the number one source of attacks against all sectors in EMEA during 2017. EMEA was the only region in which attacks from U.S. sources fell behind Chinese sources, whereas in 2016 China was the ninth most prominent attack source, accounting for less than 3 per cent of all attacks against EMEA.
Attacks from Chinese sources have escalated to the point that China was a top five attack source in each of the top five most attacked industries in EMEA, and accounted for 67 per cent of all attacks against manufacturing targets across EMEA. China-based hackers have been a source of concern for some time, and in April the UK’s National Cyber Security Centre warned telecoms firms of national security risks from using equipment made by ZTE, a Chinese state-owned firm, with the agency’s technical director, Dr Ian Levy, declaring that the risks “cannot be mitigated”.
According to the GTIR, the majority of these attacks on UK manufacturers were from a known bad source (meaning the activity originated from IP addresses within China previously identified as hostile).
The 2018 Global Threat Intelligence Report (GTIR) gathers data from NTT Security monitoring, management, and incident response operations. It also includes details from NTT Security research sources including global honeypots and sandboxes in over 100 countries in environments independent from institutional infrastructures.
The full NTT Security 2018 GTIR can be downloaded here.
2017 was a year dominated by news of cyberattacks, and 2018 seems to be continuing the trend. With cybercrime estimated to cost the world economy $600 billion a year, ransomware and data theft are big business. With firewalls and anti-virus software continually improving, in many attacks the weak spot in an organisation’s security is the human factor – a lost or weak password.
To highlight the importance of this basic but critical element of cybersecurity, May 3rd has been declared as World Password Day. Passwords are critical gatekeepers to our digital identities, allowing us to access online shopping, dating, banking, social media, private work and life communications, and protect our valuable data. In recognition of World Password Day, consumer cybersecurity company BullGuard has offered some important tips on how to create strong passwords and to develop better password habits.
Many people use simple passwords, such as; ‘1234567’, ‘qwerty’ and even ‘password.’ However, using simple password cracking programs hackers can crack these passwords very easily. These ‘brute-force’ programs make multiple guesses at high speed until the password is fully cracked. The program may take a few minutes or years; it all depends on the complexity of the password. If the password is simple it can be cracked in seconds.
At the same time many people use the same username and password for all of their accounts. Hackers can run programs that enter stolen username and password details on tens of thousands of sites until one hits. When it does, they have access to any number of your accounts and credentials.
You may practice good security on your home computers but organisations that hold thousands and millions of customer records, including user names and passwords, are consistently hacked, exposing all the information they hold. This data is typically put up for sale in the hacker underground.
Some of the easiest-to-remember passwords aren’t words at all but collections of words that form a phrase or sentence. This could be the opening line of a novel, a poem or even a song, sometimes with some numbers and symbols thrown into the mix.
Complexity is good, length is also critical. It used to be that an alphanumeric password only 8-10 characters in length was ideal. But these days, it’s increasingly easy for hackers to build extremely powerful and fast password cracking tools that can run through tens of millions of possible password combinations in a second. Each character you add to a password makes it an order of magnitude harder for hackers to attack via brute-force methods.
Don’t use the same password on multiple websites. If a website is sensitive, that is, it stores personal information such as name, address and card numbers, this information can be used to make purchases in your name.
Don’t use the password you use for your email account at other online sites. If an e-commerce site you are registered with gets hacked, there’s a high chance that your password, once cracked will be tried for other accounts, including your email.
Do use two factor authentication if available. Most online services now offer this and it works by adding an additional layer of security to your personal accounts. This can help reduce the risk of particularly nasty cyber-crime like identity theft, phishing scams and online fraud.
In summary you should use passwords that are lengthy and with some numbers and symbols randomly thrown in. It’s important to adopt two factor authentication, and if you use the same username and password on all accounts it can leave you extremely vulnerable.
Of course it can be difficult to remember secure passwords if they are created properly. As such password managers are a good option. They automatically create strong passwords for you and securely store them, so for each online account you have you can have a robust password that is easily remembered.
Half of public sector contractors working through agencies have had their IR35 status decided without an assessment being carried out, a survey shows. The astonishing figure is revealed in a survey of employment intermediaries conducted by the Freelancer and Professional Services Association (FCSA). The majority of these automatic decisions put the contractor inside IR35, raising fears that public sector organisations could face a barrage of lawsuits from those unfairly taxed as employees.
Even where an assessment has been carried out there are concerns. Over half of assessments were based on the role, rather than the individual contractor and their working conditions – this runs against recent Tribunal rulings on IR35, which say that working practices, not contractual terms, are what count for determining status.
FCSA’s chief executive Julia Kermode, who takes part in HMRC’s IR35 Forum, says that a third of intermediaries answering the survey say that they anticipate legal challenges from public sector contractors. “More than one third of respondents (36%) believe that legal challenges will now transpire as a direct consequence of role-based decisions being made and 34% of respondents are expecting challenges to workers’ deemed employment status,” she said. “These statistics should be of real concern for the government, and our survey suggests that it is in the medical, engineering and IT sectors where such challenges may come from.”
The study also found that only 24% of engagers are using HMRC’s online CEST tool to determine status. For Ms Kermode this is the result of the Revenue’s rush job in the run-up to last April’s rule changes. “When HMRC issued its CEST tool, just weeks before the change, it was already far too late,” she explains. “Public sector employers had already begun conducting assessments in order to hire new workers and to re-assess existing contracts months before the IR35 reforms came into effect. As such, they became reliant on other commercially available assessment tools.”
Even where public sector bodies are using CEST, there is evidence that they often ignore the results. IR35 expert Dave Chaplin, CEO of ContractorCalculator, revealed last week that figures obtained by him under the Freedom of Information Act show 54% of results from the online tool have yielded an “outside” status, yet many departments, including the NHS and the MOD, have declared all contractors to be deemed employees. “It’s clear that many hirers would sooner adopt blanket ‘inside IR35’ approaches than accept the risk that accompanies placing their trust in CEST,” Mr Chaplin said.
For Ms Kermode the key message of FCSA’s survey is that the government should be cautious if it plans to extend the public sector IR35 model into private industry. “Given all the issues implementing the changes in the public sector, it would be very damaging to the economy if the government was to rush to extend the IR35 reforms into the private sector. The Chancellor has already promised that the government ‘will carefully consult, drawing on the experience of the public sector reforms’, and we will be putting pressure on policymakers to ensure that Mr Hammond’s promise is fulfilled.”
A leading tax body has called for major changes to the way that proposed new tax laws are examined by parliament. In a submission to the House of Lords Constitution Committee the Chartered Institute of Taxation (CIOT), which represents tax advisors, called for lawmakers to put legislation under greater scrutiny, saying that “Parliament has an important job to do and it could do it better.”
Recent years have seen a raft of new and increasingly complex tax rules introduced, some of which have resulted in scandals, for example as ContractorCalculator.com reported this week, last year’s changes to IR35 have seen nearly all public sector contractors ruled inside IR35, despite results from the CEST tool showing that 54% should be outside.
John Cullinane, director of tax policy at CIOT, sees the problem as a combination of politics and parliamentary rules: “With a few honourable exceptions, MPs on the Finance Bill Public Bill Committee take little part in proceedings; such debate as there is, can often be characterised by political knock-about rather than diligent technical scrutiny,” he said. “The absence of meaningful House of Lords scrutiny of Finance Bills during their passage means that flaws in Commons scrutiny are all the more glaring.”
Unlike non-finance bills, new tax laws are not voted on by the upper house, which only holds a short debate on them for peers to comment on the legislation. The rule, which dates to 1911, is designed to make sure that the unelected chamber cannot block an elected government’s programme by choking off funding. Pointing to the number of peers with deep experience of taxation issues, Mr Cullinane wonders if a compromise could be reached. “The history of this is well-known and we would not want to return to a situation where an elected government, commanding a Commons majority, can be blocked by unelected peers from raising the money it needs when it has made a clear political choice to raise those funds,” he said. “We think that, with a bit of imagination, there is potential for a greater role for the Lords in this area, enabling peers to, in effect, suggest changes to Finance Bills, and require the Government to respond to their concerns, while ensuring that the elected House’s basic tax policy choices cannot be frustrated.”
As well as more involvement from the Lords, CIOT also want to see the Commons committees tasked with examining Finance Bills take evidence from outside experts. Pointing to cross-party support for the proposal, CIOT also suggests that Parliament should hear from those who will be affected by new legislation. “Giving the Finance Bill Public Bill Committee the opportunity to take evidence from, and question external witnesses, at the start of their proceedings could really help them get to grips with the legislation they are scrutinising,” explains Mr Cullinane.
Other suggestions in CIOT’s submission include that the committee examining the Finance Bill should liaise more closely with Parliament’s standing Select Committees, allowing them to take advantage of those committees’ regular investigations and examinations of underlying issues. They also suggest that the Office of Tax Simplification, which advises government on making tax laws simpler should publish a simplification review of the proposals alongside the committee stage.
Effective changes are unlikely, or at least a long way off, CIOT’s submission is to a procedural committee, and any recommendations it did make would need to be adopted and approved by MPs. Some change is surely necessary though, if future tax laws are not to be bogged down in the sort of confusion that has overtaken tax changes of the past two decades.
HMRC has been criticised for the time it takes to resolve queries – in research it commissioned itself. The survey of individuals, small businesses and tax professionals recorded HMRC errors, unnavigable systems, incorrect or contradictory answers, and uninformed, hostile or patronising staff.
HMRC commissioned the research after discovering – to their apparent shock – in a 2015 survey that “a proportion of customers were dissatisfied with the time taken by HMRC to resolve queries”. Those who have to deal with the Revenue, whether for Self Assessment, queries about their company’s tax or as a tax agent, will somewhat less surprised, that “proportion” was as much as a quarter of individuals and a half of tax agents, and even parliament has criticised HMRC’s customer service, over unacceptable call handling times.
The latest research is based on interviews with dissatisfied users of HMRC customers including individual taxpayers, small businesses and professional tax agents, who deal with HMRC for a living. The resulting report goes into detail about the issues frustrating taxpayers, and presents their suggestions for improvement.
Common problems encountered included errors from HMRC, either coming from uninformed call centre staff or from malfunctioning computer systems. Users reported that they would receive multiple copies of the same letters, contradictory letters, or letters chasing debt collection for amounts that had been paid. “They’re very polite and nice and usually apologise and say it’s an automated letter but I can’t seem to get through to them it’s happening, it’s happening every year,” one taxpayer told the researchers.
When attempting to use the Revenue’s online self-service tools, taxpayers and agents find themselves facing a navigation challenge. The report highlights a “lack of signposting, guidance and expectation setting by HMRC”, leading to frustration. Even tax agents, who use the systems on a regular basis and are used to navigating them complain that they are not given an overview of how far complaints are from being resolved, or reasons for missed deadlines.
When taxpayers gave up on the website and phoned HMRC instead, they still received substandard service. Responses to the survey show that information given is inconsistent, or inaccurate, for example being told incorrectly that an issue has been resolved, leading to a fine or penalty. At other times HMRC staff were simply unable to answer questions, or even connect callers to someone who could: “I would expect people to know the answers to questions and to offer alternatives if they can’t help and so this chap was ‘there’s nothing I can do, you’ll have to ring back’”, said one small business owner.
The tone taken by HMRC representatives on the phone also drew criticism. For individuals and small businesses, the main complaint was that HMRC staff were often rude and hostile – with the general impression being that the caller was treated with suspicion and deliberately trying to be non-compliant. For agents a common complaint was that HMRC representatives were patronising, talking down to callers as if they knew nothing about tax – especially annoying since tax agents will usually be calling on a dedicated line for professionals.
Building on these and other common complaints, the report lists improvements that taxpayers would like to see from HMRC. High on the list is better communication, including clearly laid out timelines for resolving queries and acknowledgment of actions taken. Users also want to see better customer service standards from the Revenue’s staff, in terms of tone and manner, the accuracy and consistency of information, and willingness to apologise when HMRC is at fault. Above all, since online self-service is the preferred option for all types of respondent, they would like to see an improvement in these systems. Suggested improvements include better signposting to appropriate services, detailed guidance, and clearly laid out timeframes for resolving queries.
The main body representing the UK’s financial services sector has become the latest group to call for stronger collaboration between government and industry to counter the growing cybersecurity threat. The latest call comes from UK Finance, which represents over 300 banks, credit providers, payment services firms and other financial organisations.
In a joint report with the consultancy KPMG, UK Finance says that although Britain’s financial services firms are spending more than ever on countering digital crime, cash on its own is not enough to protect against the rising threat. The report, Staying Ahead of Cybercrime, reveals that the financial services sector spends three times as much on IT Security as other sectors, but highlights that without closer co-operation between government, law enforcement and businesses protection measures will not keep up with the evolving threat.
The report reveals that online crime, including blackmail, fraud, and extortion has a financial impact of over $450 billion a year. For David Ferbrache, KPMG UK’s CTO, however, defeating cyberattacks is about more than just financial costs. “Cybercrime is costing UK institutions billions, but more importantly it erodes trust and leaves customers vulnerable,” he said.
The report expresses particular concern at the way that hackers seem to be learning how to navigate the inner workings of financial and government systems, ad working out new ways to exploit them. It is this arms race that leads it to call for a community-based response to the issue. “Cybercrime has the potential to seriously damage our economy and broader society, so to get one step ahead, the finance industry must revise its approach to cyber security. It’s not just about straight forward governance or risk and control issues,” says Stephen Jones, CEO of UK Finance. “Strategic collaboration is needed through close integration with external agencies including the National Cyber Security Centre (NCSC), National Crime Agency and police forces, to build a robust intelligence sharing model, in order to be more effective about tackling the ever-increasing cybercrime threat”.
The report echoes a call from the NCSC, the anti-cybercrime arm of intelligence agency GCHQ, which has previously called for just such a collaboration, warning that the cyber-threat to the UK is bigger than ever. Ciaran Martin, NCSC’s chief executive repeated his warnings in an article on the organisation’s website yesterday, but also sounded a hopeful note: “we have the partnerships at home and abroad to secure our digital future and we need a national-level effort from all parts of our community to make those defences as effective as they can be,” he wrote.
The financial cost of a single DDoS attack could be as much as £35,000 ($50,000), research has found, but cash losses are less important to bosses than other factors. The research, commissioned by cybersecurity firm Corero Network Security, questioned over 300 IT professionals, who judged the cost of the website disabling attacks in terms of lost custom, costs of mitigation and lost productivity. Two thirds of respondents also said that they typically have to fend off between 20 and 50 attempted DDoS attacks each month.
That might be a huge financial hit, but when the survey asked responders to rank the impacts of an attack, lost cash didn’t top the list. Instead almost 80% said that damage to the firm in terms of lost customer trust and confidence was what worried them most. Other major concerns cited, surround other cyber-threats associated with a DDoS attack; theft of intellectual property or infection with malware. Lost revenue only rated as the fourth most damaging consequence.
The ranking of priorities will be welcome news to the UK’s National Cyber Security Centre, which issued a report last week calling for businesses to consider the reputational cost of breaches. Ashley Stephenson, Corero’s CEO says that the concerns are well founded: “Not all DDoS attacks will cost an organisation $50,000,” he says, “but having your website taken offline can damage customer trust and confidence. It will also impact the ability of sales teams to acquire new customers in increasingly competitive markets. These attacks cause lasting damage to a company’s reputation and could have negative consequences for customer loyalty, churn and corporate profits.”
The research also highlights the growing complexity of DDoS attacks, and their capacity to act as a distraction for more serious network incursions. 85% of those surveyed believe that DDoS attacks are used by attackers as a precursor or smokescreen for data breach activity. An additional 71% reported that their organisation has experienced a ransom-driven DDoS attack.
Participants also viewed DDoS attacks as more of a concern in 2018 than in the past. The clear majority cited the proliferation of unsecured Internet of Things (IoT) devices as the top reason for this concern, closely followed by the association between DDoS and data breach activity.
Mr Stephenson, whose company specialises in DDoS solutions, agrees with the responses. “A DDoS attack can often be a sign that an organisation’s data is also being targeted by cyber criminals. “As demonstrated by the infamous Carphone Warehouse attack, DDoS attacks can be used as a smokescreen for non-DDoS hacking attempts on the network,” he explains. “Hackers will gladly take advantage of distracted IT teams and degraded network security defences to exploit other vulnerabilities for financial gain.”
Cryptocurrencies have been much talked about in recent months, with Bitcoin spiking in price and falling off again, but financial institutions have been interested not in the digital currencies themselves but an underlying feature – the blockchain. Now a major bank has put the technology into use for international money transfers.
Santander says that the launch of its One Day FX service makes it the first bank to roll out a blockchain-based international payments service to retail customers in multiple countries simultaneously. The banking group’s executive chairman, Ana Botín, promises that the service will allow instant transfers in several markets by this summer. “One Pay FX uses blockchain-based technology to provide a fast, simple and secure way to transfer money internationally – offering value, transparency, and the trust and service customers expect from a bank like Santander,” she said.
Also known as a distributed ledger, blockchain has long been touted as a solution to fraud concerns and the difficulties of tracking global financial transactions. It was developed as a part of bitcoin to solve the problem of “double spending” that a purely digital currency poses – how do you stop someone spending the same token with two or more suppliers? In a distributed ledger a network of computers agrees on a publicly visible timestamped transaction history.
The fact that the ledger is worked on and checked by multiple computers controlled by different entities is central to its security. Changing an entry in the ledger is immediately apparent, since it will no longer match the versions on other nodes. Each entry (or “block”) in the ledger incorporates all previous transactions. This means that to change an entry, all subsequent transactions would need to be changed as well. Since the network of computers must verify and agree on changes, this is virtually impossible without controlling over half of the network, which is unlikely.
The prospects of blockchain for improving security and accountability, especially within fintech, have led to the development of several distributed ledger systems. Santander’s service uses xCurrent, a technology based on distributed ledgers owned by California-based Ripple. InnoVentures, Santander’s $200 million fintech venture capital fund, invested in Ripple in 2015.
Blockchain-based solutions have been proposed for tasks ranging from tracking payments, to maintain food safety records throughout a supply chain. It could even be used to create contracts that automatically trigger payment once certain conditions are met. Ms Botín certainly sees a range of uses in her bank’s future: “Blockchain technology offers tremendous opportunities to improve the services we offer our customers, and the launch of Santander One Pay FX is the first of many potential applications,” she says.