HMRC phishing scams and how to avoid them

As HMRC moves more of its services online, fraudsters are exploiting this transition by targeting taxpayers with bogus or fake emails. Known as ‘phishing’, these communications are designed to encourage people to impart sensitive personal or financial information which can then be used for fraudulent purposes. With an increasing number of people falling victim to such scams, HMRC has released updated guidance on how to recognise genuine contact from its agents.

Genuine contact from HMRC

Firstly, remember that HMRC will never send notifications of a tax rebate by email, nor will it ask you to disclose personal or payment information via email. There are, however, some occasions when the Revenue will make digital contact. Some examples include:

• Trade statistics import/export data emails
• Employer Bulletin emails
• Tax credits letters from Concentrix
• Tax credits – SMS text or voice prompts
• VAT Mini One Stop Shop (MOSS) emails
• Agents online self-serve email invitations
• PAYE notices and reminders
• Educational emails
• Debt management and banking text messages
• Inheritance tax online registration and application emails
• VAT emails including VAT returns, VAT registration and VAT debt reminders
• Annual Tax Summary email alerts.

Recognising fraudulent emails

Phishing emails often appear very convincing, but there are a number of signs which can help you to determine whether an email is fraudulent.

A fraudulent email is likely to have an incorrect ‘From’ address. The sender’s email address will often be very similar to a genuine HMRC address, for example the plausible refunds@hmrc.gov.uk, in order to mislead the recipient. More examples of some of the false email addresses frequently used can be viewed online at www.gov.uk.

Common greetings such as ‘Dear Customer’ may signify that the email is bogus, and you should also be cautious of any emails demanding urgent action, as criminals will often use such tactics to encourage an immediate response.

Links and attachments pose another potential threat. Phishing emails will often include a link to a webpage replicating those on the HMRC site. Although the page appears genuine, it may display fields requesting personal information or bank account details. You should also exercise caution when it comes to attachments in an email, as these may contain viruses designed to steal confidential information from your computer.

Reporting scams and suspicious contact

Any suspicious emails should be forwarded to phishing@hmrc.gsi.gov.uk. If you believe you may have disclosed personal information by mistake, contact HMRC at security.custcon@hmrc.gsi.gov.uk. Meanwhile, details of any misleading websites should be reported to Action Fraud – see www.actionfraud.police.uk or call 0300 123 20 40.

By remaining vigilant and following the above guidance, it is possible to minimise the risk of falling victim to phishing scams. For more information visit www.gov.uk/topic/dealing-with-hmrc/phishing-scams.