Think before you click – How to spot a fake HMRC email is now something we all need to know about.
Don’t just open that attachment, if you don’t have time to really think about it now then flag it and deal with it later.
The efficiency of emails and messages help us maintain a faster pace of living. This undoubtedly has great benefits, as long as we guard against the downside – internet fraudsters. We all want to save time, but our best defence against cybercrime is caution. The temptation to swipe, click and follow instructions to ‘get it over with quickly’ is very strong – especially when it’s anything tax related. But we really need to pause for a moment’s thought to analyse the communication we have been sent.
But how do I tell if it’s genuine or not?
An excellent question and the answer becomes increasingly complicated as the scammers improve their tactics. Obviously, HMRC do use emails and SMS messages to communicate with their clients. But there are some concrete rules you can rely on, to double check:
- Basic spelling, punctuation and grammar mistakes are a sure sign of a fake email
- The sender’s email address is often another dead giveaway. Just because it has ‘HMRC’ within it doesn’t make it legitimate, for example ‘[email protected]’ is a fake address. Unfortunately, some cyber criminals are sophisticated enough to actually make a fake email address containing ‘@hmrc.gov.uk’ – so you cannot rely on this as your only means of checking its validity.
Even celebrities are not immune to such attempts. Dara O’Briain recently tweeted his scam HMRC email:
There are some guarantees about HMRC emails, they will NEVER:
- Ask you to input your bank account details, Unique Taxpayer Reference Number (UTR), postcode or full address
- Inform you that you have a tax rebate (see above!)
- Be giving you a tax rebate payment
- Ask you to reply to a private, personal email address that is not and HMRC address
- Require you to give out your tax calculations or other official figures, unless you have previously arranged this and accepted the risks with your consent
- Have any attachments, unless this has been prearranged and you have given formal consent that acknowledges the risks of such communication
- Ask you to click on a link to a form or ‘secure log-in’ to give information – HMRC will only ever ask you to log in to your online tax account to check your details
Other things to watch out for:
- Anything using the address:
HMRC FoI Act Team
Room 1C/23
100 Parliament Street
London
SW1A 2BQ
- Any phrases that imply a hint of emergency about the situation, like ‘urgent action required’ or ‘you only have 2 days to respond’. These are a good way to scare people into acting quickly and without due caution, especially when they are pretending to be from a government department.
- The use of general greetings like ‘Dear client’, can be a sign of a mass volume phishing email. HMRC usually use your name and always have information about how to report fake emails. If you are a subscriber to HMRC’s services, then you might receive generically headed emails.
- Scammers sometimes embed links to real HMRC pages in order to boost their believability. Don’t trust everything you click on!
- Fake websites that look like HMRC’s real homepage are common. They can be extremely good copies, but will have two things that HMRC never have – boxes for entering your personal details and links to building societies and/or banks. Avoid!
- Attachments – HMRC only send attachments if you have already agreed to this form of communication. Fake attachments usually contain viruses that can steal information from your computer or phone.
It really is a case of ‘think before you click’. The fraudsters keep up with technological advances and know which emotional buttons to push to get us to act without thinking. A recent scam reported by ‘The Southern Reporter’ was fake HMRC emails telling taxpayers in the Scottish Borders that they were due a council tax refund – despite the fact that this is not within HMRC’s remit. Another phone scam in Gloucestershire, reported by ‘Gloucestershire Live’, was a threat of prosecution by HMRC and contained the phrase ‘press 1 to contact your tax advisor’.
HMRC publish a list of every legitimate communication in their ‘Genuine HM Revenue and Customs contact and recognising phishing emails’ guide, which is constantly updated. Any letter, email, voice message and text message is on there – if it really is from HMRC! Absolutely none of them ask you to give any personal or financial details verbally, in a text or by email.
Reporting the fakes
If you receive any suspect communications, it is important to report it so that those fighting these crimes can have as many details as possible to prosecute these cyber-thieves.
- Forward any suspicious texts to: 60599, these are charged at your network rate.
- Forward any dodgy emails to: [email protected]
If you have responded to one of these scams and think, or know, that you have been conned out of some money, then email: [email protected]. Include the type of information you have revealed, but not your actual personal details. For example: ‘I gave my name, full address, UTR and bank details’. HMRC also has a page dedicated to online fraud which can give you some more tips and support.
You can also inform Action Fraud on 0300 123 2040 and/or the police.
It is embarrassing to think you have been tricked and many people just feel too foolish to report this modern day mugging. But it is nothing to be ashamed of; many of these con-artists are very good at their job! The only way we defeat them and protect each other is by working together – and that means passing on your experiences. Prosecutions do happen!
The best advice is not to skim and click anything that claims to be from HMRC. Stay cyber-safe and think before you click!