Sure as night follows day, every year (often shortly after Self Assessment season) email inboxes across the country are bombarded by tax refund emails appearing to originate from HMRC. It’s not just emails, though – increasingly, text messages and automated phone calls are being used.
As many of you’ll know, these emails, texts or calls are actually from scammers attempting to grab your bank or card details through increasingly complex phishing scams.
The scam usually plays out like this – shortly after the 31st January deadline (most people still leave filing their Self Assessment until the last minute), you’ll receive an email ostensibly from HMRC’s personal tax team, informing you of a refund you’re eligible to receive. It’ll direct you to an external website or to download and fill out a form in order to receive your refund.
Of course, what you’re actually doing if you fall for the scam is passing all this sensitive information onto criminals, who’ll then use it to defraud you.
As with all scams, there are usually little clues you can look out for that give the game away. Small formatting or spelling mistakes, wonky security certificates (you should see a padlock in the browser address bar for secure sites), contrived email addresses, “spoofed” website addresses (hover over the link in the email to see where it’ll send you) or unusual characters in the text. However, these mistakes are easy to overlook when you’re excitedly trying to claim the £500 you believe you’re owed.
How to recognise scam emails
The first and most important thing to remember about any emails, texts or calls from HMRC is nicely summed up by this tweet from their official Twitter account:
This was reiterated more recently by a further tweet about voicemails and automated calls:
So any email, text or voicemail about a tax rebate purporting to be from HMRC can be instantly disregarded. If you‘re owed a tax refund, HMRC will contact you by post.
Other telltale signs that these emails aren’t legitimate:
- Most filters will catch them and automatically file them to your spam folder
- The sender’s email address won’t be pretty. As hard as scam artists may try to mimic the official HMRC email address, you can usually tell the the fake is not from a genuine HMRC address
- The “address to” field is often blank, indicating these emails have been bulk blind copied (BCC’d) to many people (a good indicator for any kind of spam)
- The email does not address you by name, possibly indicating the address has been scraped from a public website
- The form asks for far too much information (Mother’s maiden name, Driving License number, Verified by Visa password etc.).
For the more technically inclined, we explored the code of a phishing email we received recently and found that, once the Submit button is clicked, the information was actually being sent to a Russian website.
Most of the emails follow a fairly recognisable pattern of poor grammar, warbled nonsense and excessive assurances that the email is real. HMRC have published examples of how some of the emails look – some of the attempts can be very convincing.
A personal or other tax refund isn’t the only avenue used by fraudsters to get access to your info. We’ve seen plenty of VAT scams, both on and offline. In the past, we’ve encountered a VAT email scam appearing to originate from email@example.com, reporting a late VAT return. The email had an executable file attached which would’ve presumably infected the victim’s computer with all kinds of viruses.
The only guarantee where scammers are concerned is that they’ll always have new tricks up their sleeve, and it’s up to individuals to be vigilant and report these scams when they appear.
January to April scams
January to April is a popular period for fraudsters and their phishing emails, texts or calls, coinciding with increased publicity around Self Assessment deadlines, and the end of the tax year when refunds are usually processed. Chas Roy-Chowdhury, head of tax at the Association of Chartered Certified Accountants (ACCA), said in FTadviser that “although HMRC has reported that it received 84,549 phishing reports in March 2018, that figure is just the tip of the iceberg of fraudulent activity happening to people”.
These scams aim to inspire doubt in those who’ve filed early, or capitalise on the panic of those still scrabbling around at the midnight hour.
How to report the emails to HMRC
These scams have become such a widespread problem that HMRC has a dedicated phishing email reporting service – and the continued existence of these scams would seem to indicate the scammers are having at least some success.
If any of these emails find their way into your main inbox, we highly recommend forwarding them on to HMRC. It’s important that the taxman stay abreast of the latest phishing methods, and an email making it past spam filters often indicates the scammers have found a new wheeze – any suspicious emails should be forwarded to firstname.lastname@example.org for HMRC’s fraud teams to look at.
HMRC then advise you delete the email, or at the very least mark it as spam with your email provider.
If you’re a Crunch client and you receive a suspicious email, text, call or letter, forward the details to your client manager who can verify its authenticity or otherwise.