A new phishing scam, designed to steal personal and financial details from self-employed workers using the Self-Employment Income Support Scheme (SEISS), has been uncovered by litigation company Griffin Law.

Victims are informed via SMS that they may be eligible for a tax refund and are redirected to a website that looks like the official HMRC site.

From there, victims are asked to provide personal data including email address and HMRC login details. A fake refund amount then appears before victims are redirected to another page that asks for financial information such as account number, security code and expiry date, to claim the bogus amount.

HMRC will never send notifications of a tax rebate or ask that personal or payment information be disclosed by email or text message

You should forward any suspicious emails and details of suspicious phone calls purporting to be from HMRC to phishing@hmrc.gov.uk and any suspicious text messages to 60599.

Any suspicious email can be forwarded to the Suspicious Email Reporting Service (SERS) and text messages should be forwarded to 7726.

The NCSC has further information on how self-employed workers, and others, can protect themselves against these scams of this type.


IT services firm hit by Maze ransomware attack

Earlier this week IT services provider Conduent confirmed that it had been affected by a ransomware attack.

The company, which deliver services and solutions on behalf of business and governments across the world, said that its European operations were hit by the attack overnight on 29 May.

Cyber attackers took advantage of a vulnerability in Citrix VPN appliances in the early hours of the morning, but in a statement Conduent confirmed that the incident resulted in only “partial interruption” and that most of its systems were back online by 10am that morning.

Guidance on how to effectively detect, respond to and resolve cyber incidents is available on the NCSC website.

Further guidance on dealing with the effects of ransomware can be found in the NCSC’s Mitigating malware and ransomware attacks guidance.


APTs continue to exploit vulnerabilities in several VPN products used worldwide

The NCSC is continuing investigations into the exploitation of known vulnerabilities affecting VPN products from Pulse Secure, Fortinet and Palo Alto.

APTs are targeting both UK and international organisations, as published in our alert on VPN vulnerabilities back in October 2019. Affected sectors include government, military, academic, business and healthcare – industry data indicates that hundreds of UK hosts may be vulnerable.

We know that vulnerabilities exist in several “SSL VPN” products, which allow an attacker to retrieve arbitrary files, including those containing login credentials.

An attacker can use these stolen credentials to connect to the VPN and change configuration settings, or connect to further internal infrastructure. Further information about preventing these types of attack can be found in our guidance on preventing lateral movement.

Unauthorised connection to a VPN could also provide the attacker with the privileges needed to run secondary exploits aimed at gaining higher privileges on the VPN server.

Any current activity related to these threats should be reported so the NCSC can offer help and guidance.

The NCSC are interested in receiving indicators of compromise and threat intelligence, even if the activity has already been remediated.