HMRC scam tactics see fraudsters purport to be from the government Department
HMRC will never ask for personal or financial information when they send text messages.
Do not open any links or reply to a text message claiming to be from HMRC that offers you a tax refund in exchange for personal or financial details.
Scam messages from criminals pretending to be from HMRC come in the form of text, Whatsapp messages, or emails.
If you respond to these they could allow criminals to steal money, personal information and data.
READ MORE: Santander fraud warning as fake phone line charges 65p a minute
HMRC is among a number of organisations which scammers purport to be from
A wide range of scams carried out by criminals impersonating HMRC are in circulation, with new, more inventive versions unfolding all the time. So it’s good to be aware of what to look out for.
HMRC scams to look out for:
“You’re in luck, you have a tax refund”
One scam used by criminals impersonating HMRC is to send a text message that says you’re owed a tax refund. It may be a relatively small amount, but the social engineering at play here is using psychology to make you click a link included in the text. Who wouldn’t like a tax rebate? When people click on that link, they’re connected to a website or a “call-handler”. The scam then begins and gradually they will get your bank account details and passwords to access your account. Then, rather than receive a refund, the account will get cleaned out.
“We’re coming for you”
Imagine you receive a call where the caller says it’s HMRC and that you owe £500 in unpaid tax and that you will be arrested in a couple of hours if you don’t pay immediately. The caller says you must pay in Amazon or Google Play vouchers. Of course, this is a blatant scam, but people are getting caught by the criminals, not least because the criminal puts huge time pressure into the equation and victims feel like they have to act fast, almost before they can think what’s happening.
Spoof
Sometimes, the criminals even ‘spoof’ a number from HMRC. That means when you look at the Caller ID and check it against a genuine HMRC number, it appears to be a real HMRC call. But the Caller ID cannot be trusted because criminals have found ways to ‘spoof’ the number, to make it look genuine when in fact, it’s not.
Phishing emails
Fake emails that look like they’re from HMRC are also used to trick people into parting with highly confidential information. The emails look like the real thing, containing a link to a website that also looks just like a page from the HMRC website. In order to collect your refund, the website presents a form that captures your full name, address, date of birth, bank account, bank name, sort code, debit card number, three-digit card verification code and card expiration date. Once you hand it over, imagine what a criminal aiming to scam you can do with all that information.
In other examples, HMRC has reported a bogus email being circulated requesting customers to verify their identity. It asks customers to provide photographic copies of their passport, NI card, utility bill and bank statement. This data is exactly what criminals need to steal your money or personal details.
Scammers operate in all sorts of ways, and they can seem very convincing
Other HMRC impersonation scams
One scam doing the rounds involves a phone call. When you answer, an automated message says that HMRC is filing a lawsuit against you for non-payment of tax. “Press one to speak to a caseworker” the message says.
But if you press one, the criminal will be on the other end with a plausible script. They will use classic scam techniques of putting you under pressure to make an immediate payment to stop the “lawsuit”, insisting it must be done right now.
They will ask for your card details, maybe also your bank account details and even get you to confirm your full address. Once they have all that, they have the keys to your accounts and empty them instantly.
In another, similar scam. A cold caller tells you that you’re being charged with tax fraud. In order to avoid court action you’re asked to send a copy of your passport and to pay £1,000 immediately. If you agree and give them card or bank details and send a copy of your passport, you will have given access to your bank account and exposed yourself to identity theft.
National Insurance numbers are also used by criminals as bait. There are variations of this scam. In one, you receive a call and when answered, you hear an automated message saying that your National Insurance number has been compromised or is invalid. As in the lawsuit scam above, you’re asked to press one to speak to an ‘advisor’ who may ask for your personal details in order to apply for a new NI number. The criminal can then use your personal details to set up new scams and trick you in the future. In another variant, they turn up the urgency by saying that your NI number is about to be suspended and your assets seized. “Press one” to stop your assets being seized, the message says.
Scam messages can encourage people to share their bank details or transfer cash
Other scams pretending to be from HMRC include:
-
WhatsApp messages – HMRC will never use ‘WhatsApp’ to contact customers about a tax refund. If you receive any communication through ‘WhatsApp’ saying it’s from HMRC, it’s a scam
-
Social media scams – HMRC is aware of direct messages sent to customers through social media. These messages are not from genuine HMRC social media accounts and are a scam
-
Refund companies – HMRC is aware of companies that send emails or texts advertising their services to win you a tax rebate or refund, usually for a fee. These companies are not connected with HMRC in any way
-
HMRC customs duty scams – HMRC has reported a text and email scam where the customer is told they must pay customs duty to receive a valuable parcel which does not exist. This is an attempt by criminals to confuse changes introduced on 1 January 2021, advising that some UK consumers buying goods from EU businesses might need to pay customs charges when their goods are delivered.
-
Not just individuals – Employers and companies are also targeted by criminals. Scam emails get sent to companies that contain zip files that when opened contain viruses or malware that can lead to ransomware attacks.
HMRC says…
HMRC will never text, email or phone to ask for bank details, PIN or passwords. Nor will they ever send a message via WhatsApp or other social media saying you can claim a tax refund or rebate. HMRC may send emails in certain circumstances, but they never send emails requesting personal information or advising of refunds. So if you get one, it’s a scam.
The criminals make it convincing and offer you money to get you to respond. However, tempting the message or how large the ‘repayment’ appears to be, you should just hit ‘delete’. Or better still, forward it to HMRC at phishing@hmrc.gov.uk and then hit delete. If you get an email like this and open it by accident, don’t click on any website links, open any attachments or reply to the email.
HMRC does use texts to inform you about claims or as reminders to submit your tax return or make payment, but they will never ask for personal information and genuine texts from HMRC will never include links to any websites. Again, if you get a message that contains a link, don’t click on it.
What if I receive one of these scams or respond to one of them?
If you think you’ve been targeted by a scam that uses a fake HMRC text, email, website or phone call, here’s how to deal with it.
Report suspicious HMRC phone calls
HMRC provides a form on their website which can be used to tell them if you’ve received a phone call you don’t think is genuine. You’ll need to give your email address. HMRC may share your email address and phone number with other organisations to close down the scam.
Report suspicious emails
If you get a suspicious email, forward it to HMRC’s phishing team phishing@hmrc.gov.uk You should give details of what you’re reporting in the subject line (for example ‘Suspicious email address’). Remember, HMRC will never send notifications of a tax rebate or ask you to disclose personal or payment information by email.
Report suspicious text messages
You can forward any suspicious text messages to HMRC by sending it to 60599. Remember, HMRC will never send notifications of a tax rebate or ask you to disclose personal or payment information by text message.
Keep your personal data close
For a criminal to target you, they need some of your personal data. If you receive a scam text or email that says it’s from HMRC, the criminal is likely to have got your phone number or email address from some other criminal source. Sometimes they get that through buying data stolen from companies by hackers. Your personal data probably sits in thousands of databases held in many companies, including some you may not even have heard of.
One way to reduce your risk of being targeted by criminals is to get your data deleted from any company that doesn’t need it. If criminals can’t get your data then there’s less chance that they’ll come after you in a scam. You can get your data deleted from any company that doesn’t need it by using Rightly Protect. Our service is quick, simple and free.
Scambusters Mail bag – answering your scam questions
Question: I donate to a few charities each year. I thought I received an email from what I thought was one of the charities I donate to. I was asked to donate for a particular cause they were raising money for, I clicked the links and now I’m not sure if it’s genuine or not? Is it the real company or not?
Criminals sadly may take advantage of your generosity when you give to a charity. Criminals may impersonate a well-known charity. Most charity appeals are genuine, so you should not be put off giving to charities. However, you need to make sure you are paying a legitimate charity and not a criminal impersonating one.
The Fundraising Regulator and Charity Commission for England and Wales advise you to pause and check before donating.
Two quick steps to check if a charity is legitimate:
-
Check the charity name and registration number at uk/checkcharity.
-
Check the Fundraising Regulator’s online Directory to see if a charity has committed to good fundraising practice at org.uk/directory.
If you’re still unsure about giving, always ask the organisation for more information. Legitimate causes will be happy to respond and answer your questions.
Remember an appeal should always be clear on exactly what the money will be used for.
Tip of the week
Do not respond to phone calls about your computer asking for remote access. Always hang up on these callers. Criminals impersonate well-known computer companies and tell you that you have a problem with your computer. They will tell you things to do which will make you think your computer has a problem when it doesn’t. The things they then instruct you to do will then give them remote access to your computer and all your personal information. They may also charge you to fix a problem they created. Hang up on these callers.
Remember: If you have received a text, you think is a scam then you can forward to 7726 or take a screenshot and send it to report@phishing.gov.uk. If you are receiving lots of unwanted phone calls or text messages you can also consider removing your details from data brokers, ensuring that you use a right to object to processing of your data. You can learn more about this on Rightly to stop the sharing of your data exposing you to scams. And you can take a free training course on how to fight against scams on www.friendsagainstscams.org.uk. The more we talk about scams the more we take away the shame.