Be Vigilant! HMRC deactivated 20,750 phishing websites in a twelve-month period
HMRC has taken down 20,750 malicious websites in the past twelve months, representing a whopping 29 per cent increase on the previous year. And don’t think you’re immune either, because, say, you think you’re an informed, educated, and savvy professional. Some of these phishing scams can be highly sophisticated and very convincing, catching out even the most vigilant and informed on occasion.
Scammers use human psychology in its most basic form. We all have a tendency to think it will never happen to us, while the sensible among us tend to respond immediately, perhaps without engaging caution, to correspondence from the Inland Revenue or from our Bank. So the public is in somewhat of a bind when acting to protect themselves against phishing fraudsters in this respect.
Thousands of people have been conned out of sensitive personal information by fraudsters claiming to be from a legitimate organisation. Even though these communications tend to reach us via email, text, fax, or phone, handset or landline, which ought to raise suspicion, often the methods used can be extremely convincing. For example, caution is often untethered by a call for “immediate action”. Because of this sort of marketing method, along with the fact that the correspondence appears to all intents and purposes like the real thing – the letterhead and logo look real or the email is using an address that at first sight appears genuine, or if a link is embedded in a plausible phrase, or if the URL address seems in part recognisable—many of us can be forgiven our error.
As an HMRC spokesperson has said:
“Genuine organisations like banks and HMRC will never contact people out of the blue to ask for their PIN, password or bank details. So, people should never give out private information, download attachments, or click on links in emails and messages they weren’t expecting.”
Think, ask, act
So first, think. Think, was I expecting anything from my bank or HMRC? Note, for example, that Income Tax for any year will run 6 April to 5 April and that anyone owed a genuine tax rebate will receive a tax calculation letter by post between June and October. If you overpaid tax, HMRC’s letter with the tax calculation will explain how to benefit from your refund; if you have underpaid tax, the letter will tell you what you owe and how to pay what you owe.
Having thought about it, then ask yourself, is this likely to be for real? If in doubt, or if you decide no it doesn’t seem for real, then act. Call or make contact with the appropriate organisation:
- Forward suspicious emails claiming to be from HMRC to firstname.lastname@example.org;
- Report suspicious texts to 60599;
- Contact Action Fraud on 0300 123 2040 to report suspicious calls or use the online fraud reporting tool;
Spotting the signs
Things to look out for to help decide if correspondence via text, email, phone or (less frequently traditional post) is for real include:
- Look at the language used: It may say “urgent action required” or “act now”. Think about it,would your bank or HMRC be likely to use that sort of language?
- Someone is requesting your PIN or password or bank account details, but stop, think, remember that banks and HMRC will never contact you out of the blue to ask for these.
- A text message requests personal details, so think about it, would private information be called “private” if all it takes is a text message to share it with someone.
- You receive an email seemingly from HMRC or your bank with attachments or a link to click, so ask yourself, was I expecting an email from “X”, is it likely that HMRC or my bank would contact me like this out of the blue.
- Your name, check how the letter addresses you: your bank or HMRC would only use the name you registered or opened the account under, never “Dear Customer” or other similarly generic forms of address.
- Grammar and spelling, correspondence from HMRC or your bank do not generally contain poor grammar or have spelling mistakes.
Recent examples of phishing scams include:
Tax refund/rebate scams: email or text saying you’re eligible for a tax refund, which asks you to click through to a website and/or provide personal and financial information.
Create a Government Gateway: bogus email which prompts individuals to create a Gateway Account to receive a tax refund.
Social media scams: direct message via social media, e.g. Twitter, offering a tax refund.
Export clearance process (delivery stop order): email to say that goods are being held at customs and that a payment is required before they can be released (known as 419 scams).
Bogus callers: a phone call or home visit from someone claiming to be from HMRC, conning individuals into providing bank account details or other personal information in exchange for a tax refund or advice.
Recorded telephone messages: saying legal proceedings are being taken against you, where the recipient is asked to phone a number and select ‘1’ to speak to the officer dealing with their case.
Request to complete NRL1 (non-resident landlord) forms: this scam targets letting agents and landlords living abroad, phishing for sensitive personal information, with the recipient asked to return the forms by fax.
Prevention is better than cure
There’s still some way to go with security and scammers always seem to find a new way to con people even when the security weaknesses have been fixed. But HMRC’s new technology trial—designed to identify phishing texts purportedly from HMRC with “tags”—has resulted in a 90 per cent reduction in people reporting spoof texts purportedly from HMRC since it began in April 2017.
HMRC has also been in pursuit of the fraudsters who’ve already conned the public out of more than £2.4 million by tricking them into using premium rate phone numbers for services that HMRC provides for free.
The best measure you can take meanwhile is to use caution. If it doesn’t seem right then contact an accountant or the organisation concerned, taking the contract details from a verifiable letter from the organisation you’ve received in the past, to check, before you give out any personal information or respond to any requests.