HMRC phishing scams: tax refunds

We continue to receive reports of phishing scams in which criminals pretend to be HMRC, and are reminding taxpayers and their agents to remain vigilant.

The most recent example we have seen is an email indicating that a taxpayer is due a refund which can be paid to their credit card if certain details are provided.  The text of this email is as follows:

Subject: Self Assessment - Gateway.gov.uk | Don't miss your payment - Review your automatic payment | 'Item No.91409593' 7921 12.02.2019

 This is an automatically generated email.

 Please do not reply as the email address is not monitored for received mail.

 {Hello} [client email address]

Thank you for registering for the HMRC Revenue Agency Portal

You have received this email to be notified that the UK Government.

 has issued a refund and you'll receive 441.60 GBP directly on your credit card.        

Login at refund  Tax Returns UK Government HMRC

               -the link expire's on 12 February 2019.

               -have your credit/debit card ready

               -follow the instructions on your screen

               Payment details:

               Amount: 441.60 GBP

               Description: Payments from gov.uk

               Transaction ID: FF415D2A48E0-20655522HR

               Date: 12 February, 2019             

Please note: (UK Government) Office will never request your password or financial information via email.

Note: A refund can be delayed a variety of reasons, for example submitting invalid records or applying after deadline.” 

Given that the self-assessment deadline has now passed, there is a risk that taxpayers who are genuinely expecting tax repayments could fall for such scams. 

How to spot phishing scams

Whilst many scams can be easy to spot, others are quite sophisticated and use email addresses, websites and logos that look very similar to official HMRC ones.

As per the example above, a key feature of phishing scams is that they will ask you to provide personal or financial details (such as credit card or bank details) in order, for example, to receive a tax refund.  They will often have poor grammar, punctuation and spelling and may use incorrect terms for HMRC processes and systems.

It’s important to remember that HMRC will never use texts, emails or social media to:

  • Inform you of a tax rebate or penalty, or
  • Ask for personal or payment information.

HMRC will also never call individuals out of the blue to demand money, or inform them of penalties or refunds.  Instead taxpayers will usually be informed by letter or in their P800 tax calculation in the first instance.

An ATT technical article with more pointers on how to differentiate between fraudulent and genuine HMRC communications can be found here.

HMRC publish examples of known phishing emails and bogus calls, text messages and social media direct messages and how to spot them, as well as up to date lists of genuine topical HMRC calls, letters and digital communications which can be referred to if you are in doubt.

What can members do?

Given the continuing prevalence of HMRC phishing and phone scams, members may wish to speak to their clients in order to raise their awareness. 

As well as advising on how to spot scams, members may also want to pass on the following practical advice as to what their clients should do if they suspect phishing:

  • If you are at all in doubt as to whether a message is genuine:
    • Don’t open it;
    • If you do open it, don’t click on any links, open any attachments or provide any information.
  • If you receive a suspicious phone call it is advisable to hang up and call HMRC back as you would normally, rather than on any numbers provided by the caller. It is wise to use another phone to do this just in case the scammer has not disconnected the call.
  • Suspicious emails and texts should be deleted, but HMRC also encourage taxpayers to report them by email: phishing [at] hmrc.gsi.gov.uk. More information can be found here.
Posted in: News