HMRC has issued a warning to those completing Self Assessment tax returns for 31 January not to be caught out by SMS messages and email scams purporting to be from HMRC.
An upturn in scams using HMRC’s name has meant that in the last 12 months, HMRC has responded to more than 846,000 referrals of suspicious HMRC contacts from the public, and reported over 15,500 malicious web pages to internet service providers to be taken down. HMRC also reports that around 500,000 of the referrals from the public offered bogus tax rebates.
Personal Information and Bank Details Sought
Bogus HMRC scams, like all other scams, are designed as an easy way to get money, personal information, and bank details. With the current bogus HMRC scams, the promise of a refund is the carrot being used to tempt victims to part with personal details and the threat/stick of a fictitious tax bill that needs to be paid is being used to extract fast money.
HMRC warns that criminals are also using the personal information gathered in the scam to access bank details or to sell on to other criminals, thereby increasing the risk of being targeted in more scams and attacks.
What Do The Scams Look Like?
Examples of recent HMRC scam texts and emails show that customers are informed that they have a pending tax refund/rebate or must review a document relating to an application for a rebate. In both cases, customers are invited to click on a link. This link directs the customer to a phishing website made to look like the UK government website. Examples of these and also of recent COVID-related scams are shown on the real UK government website here.
HMRC is keen to point out that it NEVER:
– Sends notifications by email about tax rebates or refunds.
– Asks for personal or financial information in text messages.
– Uses ‘WhatsApp’ to contact customers about a tax refund. This is in response to a scam using WhatsApp recently.
– Uses social media to offer a tax rebate or to request personal or financial information. This is in response to a scam using Twitter recently.
Other HMRC-Focused Scams
HMRC has also highlighted another popular scam whereby a recorded call tells the recipient that HMRC is filing a lawsuit against them and that they need to press a number on the keypad to speak to a caseworker to make a payment.
What To Do
HMRC advises that recipients of these texts, emails, and calls should not reply, not click on any links, and not give any personal or financial details. Instead, recipients should send any phishing text messages to 60599 (network charges apply), and report full details of the scam emails, texts, WhatsApp and social media messages by email to firstname.lastname@example.org. All scam messages should also be deleted from the recipient’s phone or email account as soon as possible.
Those who have fallen victim to this or other scams where there has been a financial loss should contact Action Fraud.
What Does This Mean For Your Business?
Scammers are always ready to exploit fears and desires and this scam plays on both. Essentially though, this is a phishing scam and phishing emails tend to have elements that give them away if the recipient can resist an immediate emotional response. In the case of this scam, and aside from the knowledge that HMRC does not communicate with customers in this way, the fact that it is unexpected, asks for money/personal information/bank details and is threatening should set alarm bells ringing. Other ways that phishing emails can be spotted include generic greetings (scammers are less likely to personalise), grammar/spelling mistakes, heavy emotional appeals that urge you to act immediately, and anomalies in the email address that a spam email has come from, or in the domain of the link to click on. Businesses should ensure that staff are made aware of the risk of phishing emails, how to spot them and what to do/what not to do (not clicking on links in emails). This is particularly important at a time when many staff are working from home and businesses should ensure that staff are kept firmly in the loop about security policy, security best practice, and current threats.