Have you recently received an email or message to tell you that you’re due a tax refund? You may have been pleasantly surprised to see that HMRC seems keen to return any overpayments without you having to do the chasing. But hold on – something doesn’t smell quite right.
As you will hopefully have realised quickly, these emails, text messages or automated phone messages are not coming from HM Revenue and Customs. They’re fraudulent attempts by scammers to get hold of your bank details using increasingly sophisticated phishing scams.
Typically, it goes like this: Soon after the 31st January Self-Assessment tax deadline has passed, there’s a message to say that you’re eligible to receive a tax refund. All you have to do is to click through to another page and provide personal and financial information for your refund to be processed. Unfortunately, what you’re actually doing is falling for one of the oldest scams in the book, giving the cybercriminals access to sensitive information that they can use to defraud you.
How do you spot a scam email?
If you scrutinise the email purportedly sent by ‘HMRC’, as you always should, you will most likely find small but important clues that point towards fraud. Look out for unprofessional typos or unusual characters in the text, grammatical mistakes, tiny formatting errors, unsecure sites (no padlock in the browser address bar) and unconvincing email addresses and spoof website addresses such as email@example.com or firstname.lastname@example.org.
HMRC are aware of these scams going on and are doing their best to warn customers, but these tiny irregularities are so easy to overlook in the excitement and rush to claim an unexpected windfall that many people inadvertently fall prey to the cyberfraudsters.
Other red flag signs to indicate that the supposed email from HMRC may not be legitimate include:
- The sender’s address doesn’t tally with the HMRC website address. It may be sent from a totally different address or try to mimic the official email address.
- The email doesn’t address you by name but instead uses a generic greeting such as ‘Dear Customer’.
- The email contains excessive reassurances that the message is genuine. Anything that states ‘this is not a fake email’ should ring alarm bells.
- You weren’t actually expecting to receive an email from HMRC offering a tax rebate or threatening legal action.
- There’s a request for personal information such as your user name and password, or bank details, and often much more than that (mother’s maiden name, driving licence number etc).
- There’s a compelling sense of urgency or deadline designed to get you to act immediately in order to receive the promised rebate or avoid account closure, prosecution or similar.
- The body of the email is contained within an image, with an embedded hyperlink that takes you straight to a bogus site.
It cannot be said often enough that HMRC will never ask any of their customers to disclose personal or financial information by email or text message. Any communication regarding tax rebates or impending legal action will always be sent by post.
How do you report a phishing email?
Sadly, it looks like online fraud is here to stay. But with scammers intent on coming up with ever more dastardly schemes year after year in an effort to steal both our money and ID, it’s down to us to be constantly on our guard.
Whenever you receive a suspicious email or message that just sounds too good to be true, constant vigilance are your watchwords. Don’t be tempted to click on anything or give any information whatsoever. Instead, contact your accountant or tax adviser straight away to verify (or otherwise) the information.
“We would urge every client to be very careful with unexpected messages they think might be from HMRC, and to check with us immediately,”.
“Tax rebate scams are nothing new, unfortunately, but by working closely together we can help our clients to avoid falling prey to this type of criminal activity.” (Oliver Spevack, OS Accounting)
Whenever you receive a tax scam email or message, you can help HMRC by reporting the incident direct. Send phishing text messages to 60599, and forward phishing emails to email@example.com, then delete the message from your computer or mobile device.