Protecting personal data during HMRC phishing season

While people are wary of shopping on banking online, use of goverment services is potentially more risky due to the nature of information provided explains Brian Spector, with phishing particularly prevelant at tax-return time.

Brian Spector, CEO, MIRACL
Brian Spector, CEO, MIRACL

Some 10 million people are preparing to complete their tax returns online by the end of January. But besides the stress of setting aside enough time to complete the forms, people also face the very real danger of falling victim to identity fraud if they do not take adequate steps to keep their personal and financial information safe online.

The volume of data being disclosed on the Web makes this a peak time for fraudsters looking to trick unsuspecting citizens into giving away their private information.  Forty percent of us have already received phishing emails, which claim to be from HMRC, and identity fraud is rife – with a fifth of UK citizens, or their close friends or family, already having fallen victim.

But an alarming number of people still seem to be oblivious to the risks involved.  Of those who have filled in a tax return online, almost half (48 percent) are not at all worried about disclosing their data in this way, according to a recent survey we conducted among 1,000 UK citizens. Perhaps these people have complete trust in the security capabilities of HMRC, but looking more closely at the results, it appears that most people just don't realise which parts of their personal data are the most valuable.

When asked which online activity they viewed as the biggest security risk, most people cited online shopping as their foremost concern. Just over a third were most worried about online banking, and only 14 percent were most concerned about using government services online, such as applying for a driving licence or filling out a tax return.  To those of us who understand the value of personal data to cyber-criminals, these results seem like madness. After all, a determined hacker could potentially take out a mortgage in someone's name if they had access to all the personal and financial data involved in a tax return. Compared to the risks of online shopping, it's in a different league.

This lack of awareness could be because people are being lulled into a false sense of security by thinking that using stronger passwords will protect them. Over two-thirds of those surveyed try to protect their personal and financial data online by substituting numbers for letters, or using a combination of letters and numbers, in their passwords.  But the underlying problem is that the whole system of username and password is old technology that simply cannot secure the information that we all store and access online today.  As we have seen time and time again, the servers that hold password data within an organisation can be hacked, and all the customer data contained within it can therefore be lost.  This isn't the fault of a consumer for their choice of password, but rather testament to the limits of the technology being used to protect this data.

Barely a week seemed to go by last year without another high-profile data breach dominating the headlines.  According to the research, cases such as TalkTalk have made almost two-thirds of us feel more nervous about providing our personal and financial information online, and as a result, the majority believe that it is only a matter of time before they will be affected.  But all is not lost – database hacks, password reuse, browser attacks and social engineering can all be a thing of the past if new technologies are adopted.

Three-quarters of us would feel better about disclosing personal and financial data if the website we use had stronger security measures, such as multi-factor authentication.  This gives online services a golden opportunity to reassure their customers by making their sites more secure and removing password risk from their systems altogether.

Fortunately for the ten million people preparing their tax returns online, most can now access stronger security measures by using GOV.UK Verify, the new way for UK citizens to access government services online. The service is currently in public beta but most people can opt-in to use this service while completing their tax returns online.  For example, Experian, a certified identity assurance provider for GOV.UK Verify, offers users secure authentication with which users can log in using a five digit PIN together with a software token. This means the server stores no passwords, or authentication credentials of any kind, and therefore cannot be compromised.  By eliminating the risk of lost and stolen passwords, online services can significantly reduce the risk of identity fraud and help to restore a vital sense of trust among people accessing material on the Web.

We all own the internet, let's fix it together. 

Contributed by Brian Spector, CEO, MIRACL

Sign up to our newsletters