Lax cyber security at HM Revenue and Customs is costing taxpayers hundreds of millions of pounds a year in sophisticated scams that are largely perpetrated by foreign criminals, The Independent has learnt.
The scams take different forms but have the same result: tricking officials into sending legitimate tax rebate cheques to a false address. The cheques are then picked up by a series of British-based mules who cash them on behalf of their handlers abroad.
The problem has become so severe that HMRC has been forced to set up a new cyber defence team to track down the thieves. One insider said that HMRC has estimated the losses to be as much as £600m a year.
Under the Government's new strategy for tackling cyber crime and security GCHQ will be used to help the private sector combat the problem and a new e-crime unit will be set up at the National Crime Agency.
The Government has committed £650m to tackling cyber crime and foreign threats. E-crime is estimated to cost the economy £27bn. But critics say losses like those at HMRC reveal how little is spent targeting cyber-crime. Peter Warren, chairman of the Cyber Security Research Institute, which uncovered the scams, said: "There is a need for a radical overhaul of the way HMRC confirms someone's identity to avoid not only government embarrassment but also a loss to the taxpayer – money which could be spent tackling cyber-crime."
Most of the HMRC scams work by infecting a person's computer with malicious software, or by tricking them into navigating towards a fake website that persuades users to input their personal details. The software either collects log-in details or adds new data input fields to the official HMRC website when a user visits it.
When they find members of the public who are entitled to a tax rebate the criminals change the name and address that the cheque should be sent to. The money is then collected and quickly laundered.
Cyber security experts say both the number and sophistication of attacks aimed at HMRC have increased dramatically over the past three years.
A spokesperson for the HMRC said: "We take the security of our customers' data extremely seriously and we do not discuss the detail of our security defences," he said. "We monitor repayment transactions and continue to address any fraudulent repayments."