Phishing scams have exploded into one of the most prevalent threats facing both individuals and businesses, with cyber criminals growing increasingly sophisticated. Alongside conventional phishing via email, cyber criminals are also conducting smishing (phishing carried out via SMS). The latest Cyber Security Breaches Survey from the UK government reveals a chilling reality: 85% of UK businesses experienced a phishing attack last year.
These scams are no longer the clumsy attempts they used to be. They’re smart, timely, well-researched, and often convincing, all thanks to emerging technologies like artificial intelligence. British businesses have already warned that they are seeing an increase in highly personalised phishing attempts, thanks to AI analysis of online profiles.
These tactics, which often involve impersonating trusted institutions such as banks, government agencies, and retailers, are designed to trick individuals into divulging personal information, passwords, or even making payments under false pretences. Now, new data gathered by cyber security experts at Bridewell reveals the extent of impersonations of HM Revenue & Customs (HMRC).
It’s no wonder that it’s a popular technique for cybercriminals. A recent Cyber Threat Intelligence Report found that phishing remains a highly lucrative threat, with multiple new phishing kits and phishing techniques developed this year. Given that it costs cyber criminals close to nothing to phish via email or SMS, it remains highly profitable as only a tiny proportion of phishing targets need to fall victim.
These schemes operate across various platforms, including text messages, social media, and even voice calls, making it increasingly difficult to distinguish legitimate communication from fraudulent activity.
The rise of phishing and smishing scams has reached alarming levels, with HMRC receiving a staggering296,000 reports since 2023. Over 283,000 of these reports were for emails impersonating the revenue service. While SMS-based impersonation attempts are less prolific, there have still been 13,250 reports to HMRC in the last two years.
This latest data reveals the growing scale of the problem as fraudsters attempt to exploit digital platforms to target taxpayers.
HMRC’s figures offer an eye-opening look at the impact of these scams on the UK public. The data reveals that in the first six months of 2025 alone, HMRC has received 38,012 reports of phishing attempts and 3,190 reports of smishing.
However, the number of phishing reports to the HMRC has slowed down. In 2023, there were 148,909 phishing reports to the HMRC, which decreased by 35% to 96,252 in 2024. In contrast, the number of smishing reports to HMRC has increased 46 percent from 4,086 to 5,974.
“Social engineering is an often-overlooked security threat that is used to manipulate people. This manipulation can encompass a broad range of objectives whereby a victim is tricked into doing something that helps the attacker. Often this is encouraging them to click malicious links, but the goal could also be to install malware or trigger fraudulent transactions,” said Luiz Simpson, Head of Red Team, Bridewell. “Now, thanks to AI, cyber criminals are becoming increasingly convincing by creating fake websites that mimic legitimate services or sending SMS alerts that look like they’re from trusted sources.
“AI can analyse the way real companies communicate and then replicate it in phishing emails or text messages. This is why vigilance is critical, and we can no longer rely on the standard red flags, like poor grammar or spelling, to tell us something is off.
“The advice is clear. Firstly, you should pause and think when you receive a suspicious email. You should never click on suspicious links or open attachments in emails or SMS messages, and you should always verify the authenticity of any communication by visiting HMRC’s official website directly.”
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by visiting our LinkedIn page.
