We’ve seen it before. The classic email with words so exciting they wrote them into Monopoly: ‘Tax Refund’. Everyone dreams of getting a little something back from the tax man. But not all of us are so lucky.
Many of these communications from Her Majesty’s Revenue and Customs (HMRC), will be genuine – for example, you may have received a letter with details of your latest tax code, or for some of you in the Self-Assessment regime, a letter which contains a statement and instructions on how to pay your latest tax liability.
However, you may also receive communication from HMRC in other formats – perhaps an email or text which promises large sums of money via a tax repayment. Or maybe even a threatening phone call in which the caller demands immediate payment of sums under the threat of legal action.
But please don’t be fooled.
Any form of communication that uses threatening or coercive language, or that asks for sensitive or personal information, is likely a baited attempt to ‘Phish’ these details from you.
What is phishing?
Phishing is an attempt by cyber criminals to acquire sensitive information by pretending to be a genuine organisation, such as HMRC, through communications like emails and texts.
Mobile numbers and weblinks in these messages often lead victims to resources that mimic the organisation. These sites or ‘representatives’ then ask for personal details that are collected by the criminals, not the organisation.
What does phishing have to do with tax?
Cyber criminals posing as HMRC officers prey on people’s emotions – particularly the excitement over potential tax repayments (because let’s be honest – who wouldn’t want that?), and fear of prosecution if confronted with a fake tax liability. These emotions often make us jump without thinking, falling straight onto the hook of the scam.
For a lot of people, tax can be a complicated subject under normal circumstances, but pandemic vulnerabilities have also made scams in relation to SEISS grants and VAT deferral schemes common.
Since the first lockdown in March 2020, cyber criminals impersonating HMRC has increased considerably, according to HMRC’s own data (see chart).
It is important to note that whatever your situation, HMRC will never inform you of a tax repayment, penalty or liability via text or email, and will never use these forms of communication to ask for your private information or payment details.
What does HMRC say?
HMRC have useful information on their website that shows how to spot and report scams to their investigators.
To stay safe, HMRC suggest doing the following:
- If you receive a text or email from HMRC and you are unsure whether it is genuine, you should never open any attachments or click on any links. Instead, report the fraudulent email to HMRC and then delete the message.
- If you receive a phone call, HMRC stresses that you should not provide the caller with any sensitive data if it is asked for. Instead, they request that you keep a note of the number and the time and date of the call and report to their investigators.
- HMRC suggest that everyone remains alert for any indicators that would suggest the communication is fraudulent. These may include:
- Spelling errors and poor grammar.
- The use of a generic address such as ‘Dear Customer’ or ‘Dear email address’.
- The use of non-legitimate HMRC email addresses: such as an email being sent from a Hotmail or Gmail account.
- Aggressive wording that pressures the receiver into believing urgent action is required.
Genuine communications from HMRC will always have the following information:
- They will greet you using the name that you have already provided to HMRC e.g. the name you used when signing up for HMRC services.
- Communications will include information and instructions on how to report phishing emails or texts.
- They will never include a personal email address for you to reply to and the email will come from a genuine HMRC account (always double check the sender address in full rather than depend on the title name provided!).
- The communications should never ask for specific figures or calculations or have any attachments unless you have agreed to this previously with HMRC and have formally accepted the risks.
- HMRC will never provide you with a link to use to log onto your Government Gateway. Instead, they will request that you log-in by using the normal processes.
It is important to take some time to read through any communications from HMRC and ensure that the email, text or phone call you have received is genuine before proceeding.
What can CT do?
If you have concerns regarding any communications that you have received from HMRC, please get in touch with us at firstname.lastname@example.org. We would be more than happy to review the communication to check if it’s genuine.
Remember: if in doubt, give us a shout!