Email, text messages, phone calls – every year thousands of taxpayers are targeted by criminals who will use whatever means necessary in order to con us into revealing personal information or even worse part with our well-earned cash.
At first glance, these communications look like they come from HMRC, but unfortunately this isn’t the case.
We take a look at the different types of scam criminals use, what signs to look out for and the simple checks you can do to stay safe.
The 4 most common types of HMRC scams
The Taxman is a bit of a bogeyman for many businesses, which is exactly why scammers pose as HMRC. They hope you will be scared into action before you realise it’s a scam.
The 4 most common HMRC scams are:
Phishing: a fraudulent attempt, usually through email, to steal your personal information. This could take the form of asking you to create a Government Gateway account in order to receive your tax refund.
Vishing: a phone call where the criminal tries to get you to divulge personal information. HMRC phone scams usually threaten potential victims with lawsuits unless outstanding tax is paid.
Smishing: a text message, which usually asks you to click on a link to a fake HMRC website, designed to capture your personal details.
Spoofing: a person or program masquerading as HMRC to deceive you into giving away sensitive information, such as your bank details. Emails which look like they are from HMRC are a common tactic.
Common signs an email is a scam
Spelling mistakes and poor grammar are both indications that an email is a scam. Other tell-tale signs include:
Offering you at tax rebate: HMRC will never offer you a tax rebate or repayment by email. They will only ever inform you by letter. They will also never phone you about a tax refund or use an external company to contact you.
Demanding urgent action: if you are asked to ‘act immediately’ or within a very short time-frame, chances are it’s a scam. Fraudsters are hoping you will panic and take action.
Using a fake ‘from’ address: check that the sender’s email address is a real HMRC email address. Fraudsters often use email accounts which are similar to real accounts i.e. firstname.lastname@example.org to mislead you. One way of checking this is to hover over the ‘from’ address and confirm that the end of the email is @hmrc.gov.uk. If it’s not then, delete the email immediately.
Spoofing the ‘from’ address: criminals can also spoof the ‘from’ address to make it look like the email has come from a legitimate HMRC address.
If you’re at all unsure about an email, forward it to HMRC’s phishing team at email@example.com and they’ll tell you if it’s genuine or not.
Including attachments and dodgy links: if you get an email with an attachment you weren’t expecting, don’t open it. It could contain a virus that will give criminals access to your computer and personal information.
Always treat any links to web pages with caution. The links may go to a site that looks like the real HMRC homepage, but you’ll be asked to provide personal information. If in doubt, go to the genuine HMRC homepage and use the search facility to find the right page.
Using a common greeting: HMRC will usually start an email with your name, so one which says ‘Dear Sir/Madam’ or ‘Hello’ is highly likely to be fake.
How to stay safe
If you’re at all unsure, if the email is genuinely from HMRC, check their website. They list all the most recent emails they have sent out together with any other communications they have used.
If you do get a phishing email or bogus text message reputedly from HMRC, report it directly to HMRC at firstname.lastname@example.org.
And always remember to ‘double-delete’ any fraudulent messages. This means deleting it from your inbox and then from you trash folder. This is a good precaution to take against potential viruses.