TTR Barnes

Online fraudsters are becoming increasingly sophisticated in the presentation of fake emails, making it harder than ever to spot when an email is real. To help you stay safe, we’ve put together a guide on how to spot the latest HMRC phishing scams and what to look for to make sure that you only interact with genuine emails.

What is a phishing scam?

Users are becoming more aware of phishing scams but there are still lots of instances where you can inadvertently share personal information such as passwords or financial information where the request may appear to be perfectly legitimate.

How to spot phishing activity

The safest approach is never to trust any email, text, social message, Whatsapp, telephone call or similar information request from anyone.  Scammers are posing as banks, online retail sites and even HMRC.  These emails etc. will appear as if they are directly from your trusted provider and it is hard to know the difference.  There are some tricks to try and identify if the communication is legitimate though.

• Any email that asks for your personal information directly should be treated as suspicious.
• Unless the email address is an “exact” match of the domain e.g. (xxx.com) of the real company online then do not interact with it.  Be careful to click right into the sender address as scammer email addresses can be masked as alternative ones in your initial email information.
• If you click a link and the website you go to doesn’t match the domain (xxx.com) of the verified company site, then it is usually a sign of a phishing scam.
• Any that looks “a bit different.”
• Anything that reports to give you a refund/rebate or some form of financial reward for passing on your information..
• Any unsolicited calls at all
• The phone call is unsolicited and the caller claims to be an employee of the company but is asking you for your details.
• Anyone pressuring you for a response or there will be a financial implication

HMRC phishing scams

HMRC has been a real target of scammers in recent years, and even some of the most tech-savvy business owners have been caught out by the increasingly-sophisticated emails. Some simple rules to remember when receiving communication from HMRC are that they will never:   

• Notify you of a tax rebate
• Offer you a repayment
• Ask you to disclose personal information such as your full address, postcode, Unique Taxpayer Reference (UTR) or details of your bank account
• Give a non HMRC personal email address to send a response to
• Ask for financial information such as specific figures or tax computations, unless you’ve given HMRC prior consent and you’ve formally accepted the risks
• Have attachments, unless you’ve given prior consent and you’ve formally accepted the risks
• Provide a link to a secure log-in page or a form asking for information – HMRC will always ask you to log on to your online account to check for information

Some examples of the latest HMRC phishing scams

Images taken from latest guidance on https://www.gov.uk/government/publications/phishing-and-bogus-emails-hm-revenue-and-customs-examples/phishing-emails-and-bogus-contact-hm-revenue-and-customs-examples

Spotting Genuine HMRC Emails

To help you spot the real from the fake HMRC issues and regularly updates a list of the genuine reasons why it would contact you.  You can view this list here  https://www.gov.uk/government/publications/genuine-hmrc-contact-and-recognising-phishing-emails/genuine-hmrc-contact-and-recognising-phishing-emails

Keeping yourself safe online

To help stay safe online, you can follow the below best practice tips that we have collated:

• Don’t ever send personal information over digital channels – and especially not when requested.
• Always go directly to the company website and look at your notifications in your account.  Try not to engage via email or text messages.
• Try not to follow any links in messages and emails
• Use 2-step verification for logging into any online accounts where possible
• Don’t use the same password in multiple accounts
• Don’t open or save any attachments if you don’t know who they’re from
• Try to use a password generator or have a passport wallet and/or authentication app on your phone
• Never give any personal information to any cold caller.  Ask if there is a number that you can check before calling them back.  Use one of the many online number checkers
• Look out for a sender’s email address that is similar to, but not the same as the company’s email addresses. For example, fraudsters often have email accounts with HMRC or revenue names in them (such as ‘refunds@hmrc.org.uk’). These email addresses are used to mislead you. If you’re not 100% sure that the message has come from the company you are dealing with, don’t open it. If you do open the email and you’re in doubt don’t click on any links or downloads.

If you receive an email from HMRC or any other business/association that you are unsure of, then please do not hesitate to contact your TTR Barnes account manager. We will endeavour to keep our clients updated on all of the latest phishing scams targeting HMRC/Companies House and other, relevant organisations.

All information correct at time of going to print/live and on the best knowledge and understanding of the author at the time.  This article is for general information only and does not constitute financial advice or recommendations for individual circumstances.  No responsibility is taken for any actions taken on the base of the information within this article. You should not rely on it for making any investment decisions and should use professional financial advisors in this respect