Scams are taxingAs people prepare to pay their tax bill at the end of January for the 2021-22 tax year, scammers are impersonating HMRC in a range of insidious scams aimed at parting you from your money or capturing sensitive personal data.
Wed 18 Jan 2023
7 min read
You may be one of the many people who have received a text message that says it’s from HMRC. The text will contain a short message and a link to click on. But if you click that link, you will be entering a world of hurt, with scammers waiting on the other side to rob you and to steal your sensitive personal information.
A wide range of scams carried out by criminals impersonating HMRC are in play, with new, more inventive versions unfolding all the time. At this time of year, with the real HMRC payment deadline for the 2021-22 tax year looming at the end of January, you can be sure the scammers will be active. So it’s good to be aware of what to look out for.
You’re in luck, you have a tax refund
One scam used by scammers impersonating HMRC is to send a text message that says you’re owed a tax refund. It may be a relatively small amount, but the social engineering at play here is using psychology to make you click a link included in the text. Who wouldn’t like a tax rebate? When people click on that link, they are connected to a call-handler. The scam then begins and gradually they will get your bank account details and passwords to access your account. Then, rather than receive a refund, the account will get cleaned out.
We’re coming for you
Imagine you receive a call where the caller says it’s HMRC and that you owe £500 in unpaid tax and that you will be arrested in a couple of hours if you don't pay immediately. The caller says you must pay in Amazon or Google Play vouchers. Of course this is a blatant scam, but people are getting caught by the criminals, not least because the scammer puts huge time pressure into the equation and victims feel like they have to act fast, almost before they can think what's happening.
Sometimes, the scammers even ‘spoof’ a number from HMRC. That means when you look at the Caller ID and check it against a genuine HMRC number, it appears to be a real HMRC call. But the Caller ID cannot be trusted because scammers have found ways to ‘spoof’ the number, to make it look genuine when in fact, it’s not.
Fake emails that look like they’re from HMRC are also used to trick people into parting with highly confidential information. The emails look like the real thing, containing a link to a website that also looks just like a page from the HMRC website. In order to collect your refund, the website presents a form that captures your full name, address, date of birth, bank account, bank name, sort code, debit card number, three-digit card verification code and card expiration date. Once you hand it over, imagine what someone with negative intent can do with all that information.
In other examples, HMRC has reported a bogus email being circulated requesting customers to verify their identity. It asks customers to provide photographic copies of their passport, NI card, utility bill and bank statement. This data is gold to the scammers.
Other HMRC impersonation scams
One scam doing the rounds involves a phone call. When you answer, an automated message says that HMRC is filing a lawsuit against you for non-payment of tax. “Press 1 to speak to a caseworker” the message says. But if you press 1, the scammer will be on the other end with a plausible script. They will use classic scam techniques of putting you under pressure to make an immediate payment to stop the lawsuit, insisting it must be done right now. They will ask for your card details, maybe also your bank account details and even get you to confirm your full address. Once they have all that, they have the keys to your accounts and empty them instantly.
In another, similar scam, A cold caller tells you that you’re being charged with tax fraud. In order to avoid court action you’re asked to send a copy of your passport and to pay £1,000 immediately. If you agree and give them card or bank details and send a copy of your passport, you will have given access to your bank account and exposed yourself to complete identity theft.
National Insurance numbers are also used by scammers as bait. There are variations of this scam. In one, you receive a call and when answered, you hear an automated message saying that your National Insurance number has been compromised or is invalid. As in the lawsuit scam above, you’re asked to press 1 to speak to an ‘advisor’ who may ask for your personal details in order to apply for a new NI number. The scammer can then use your personal details to set up new scams and trick you in the future. In another variant, they turn up the urgency by saying that your NI number is about to be suspended and your assets seized. “Press 1” to stop your assets being seized, the message says.
Other scams pretending to be from HMRC include:
- Covid scams - text scams offering an HMRC tax refund in connection with the COVID-19 pandemic. Scammers often use latest news and events to create a message that will resonate with the recipient, all part of their social engineering
- WhatsApp messages - HMRC will never use ‘WhatsApp’ to contact customers about a tax refund. If you receive any communication through ‘WhatsApp’ saying it’s from HMRC, it’s a scam
- Social media scams - HMRC is aware of direct messages sent to customers through social media. A recent scam was identified on Twitter offering a tax refund. These messages are not from genuine HMRC social media accounts and are a scam
- Refund companies - HMRC is aware of companies that send emails or texts advertising their services to win you a tax rebate or refund, usually for a fee. These companies are not connected with HMRC in any way
- HMRC customs duty scams - HMRC has reported a text and email scam where the customer is told they must pay customs duty to receive a valuable parcel which does not exist. This is an attempt by scammers to confuse changes introduced on 1 January 2021, advising that some UK consumers buying goods from EU businesses might need to pay customs charges when their goods are delivered.
Not just individuals
Employers and companies are also targeted by scammers. Bogus emails get sent to companies that contain zip files that when opened contain viruses or malware that can lead to ransomware attacks.
What does HMRC say?
HMRC will never text, email or phone to ask for bank details, PIN or passwords. Nor will they ever send a message via WhatsApp or other social media saying you can claim a tax rebate. HMRC may send emails in certain circumstances, but they never send emails requesting personal information or advising of refunds. So if you get one, it’s a scam.
The scammers make it enticing, offering you a juicy rebate. However tempting the message or how large the ‘repayment’ appears to be, you should just hit ‘delete’. Or better still, forward it to HMRC at email@example.com and then hit delete. If you get an email like this and open it by accident, don’t click on any website links, open any attachments or reply to the email.
HMRC does use texts to inform you about claims or as reminders to submit your tax return or make payment, but they will never ask for personal information and genuine texts from HMRC will never include links to any websites. Again, if you get a message that contains a link, don’t click on it.
What if I’m targeted?
If you think you’ve been targeted in a scam that uses a fake HMRC text, email, website or phone call, here’s how to deal with it.
Report suspicious HMRC phone calls
HMRC provides a form on their website which can be used to tell them if you’ve received a phone call you don’t think is genuine. You’ll need to give your email address. HMRC may share your email address and phone number with other organisations to close down the scam.
Report suspicious emails
If you get a suspicious email, forward it to HMRC’s phishing team firstname.lastname@example.org
You should give details of what you’re reporting in the subject line (for example ‘Suspicious email address’).
Remember, HMRC will never send notifications of a tax rebate or ask you to disclose personal or payment information by email.
Report suspicious text messages
You can forward any suspicious text messages to HMRC by sending it to 60599.
Remember, HMRC will never send notifications of a tax rebate or ask you to disclose personal or payment information by text message.
Keep your personal data close
For a scammer to target you, they need some of your personal data. If you receive a text or email that says it’s from HMRC but is really fake, the scammer is likely to have got your phone number or email address from some other shady source. Sometimes they acquire that through buying data stolen from companies by hackers. Your personal data probably sits in thousands of databases held in many companies, including some you may not even have heard of.
One way to reduce your risk of being targeted by scammers is to get your data deleted from any company that doesn't need it. If scammers can't get your data then there’s less chance that they’ll come after you in a scam. You can get your data deleted from any company that doesn't need it by using Rightly Protect. Our service is quick, simple and free.
Wed 04 Jan 2023
4 min read
Make a data resolution
Every January, millions of people use the turn of the year to make resolutions for everything from healthier lifestyles and weight loss, to improving work-life balance, to reading more books. All with good intentions. But an important one to consider this year is getting control of your personal data.
Wed 31 Aug 2022
7 min read
Leaving a digital trail
Not all browsers are created equal when it comes to security of your personal data. Some of the most popular browsers in the world are being exposed for collecting and selling user data or lacking adequate security measures.