Ahead of the Self-Assessment tax return deadline, a reminder to be vigilant to HMRC scams

14 January 2020

As the deadline for filing Self-Assessment tax returns fast approaches, the CIPP thought it would be important to remind members and their staff members of the importance of being alert to scammers who purport to be HMRC in an attempt to steal the hard-earned money of individuals.

There are multiple ways in which these unscrupulous criminals work, and they contact people via a range of channels. They will attempt to lull people into a false sense of security and may do so via a phone call, by email or even via WhatsApp and social media. The most frequently used scams are discussed below.

Tax refund and rebate schemes

The biggest piece of advice in this area is that HMRC will never send email notifications in relation to tax rebates or refunds. If you do receive an email of this nature, ensure that you do not visit any website, and don’t open any attachments or provide personal or payment information. As fraudsters are becoming increasingly sophisticated, they may have the ability to spoof a genuine email address or change the ‘display name’ in an attempt to make the email look more authentic.

There is an example of what a phishing email and bogus website might look like on the GOV.UK pages. It would be advisable to familiarise yourself with these examples so that you are aware of what you need to be looking for.

HMRC will never request any personal or financial information when they send text messages. If you do get a text message asking for this information, you should refrain from replying and avoid clicking on any of the links held within the message. The fraudulent email should be forwarded to 60599 or emailed to phishing@hmrc.gov.uk. The text should then be deleted.

There is a phishing campaign that contains a PDF attachment with the advice that customers need to ‘download a PDF attachment’ in order to receive a tax refund. The PDF includes a link to a phishing site that asks for personal or financial information. Do not reply to the email or download the attachment and instead forward the email to phishing@hmrc.gov.uk and then delete it.

Bogus phone calls

A widely reported scam is one that is often aimed at the elderly and more vulnerable in society, consistent of an automated phone call which states that HMRC is filing a lawsuit against you and that you should speak to somebody and make a payment. The advice given here is to terminate the call straight away. Other calls may offer a tax refund and ask you to provide payment information. Do not provide any of these details but in the event that you do fall victim to a scam, report it to Action Fraud. To aid HMRC in its investigation of scams, you should email phishing@hmrc.gov.uk stating the date of the call, the phone number used and the content of the call.

WhatsApp messages

HMRC won’t use WhatsApp to communicate with customers about tax refunds and if you ever receive a message from HMRC on WhatsApp, it will be a scam. Email the details to phishing@hmrc.gov.uk and then delete the message.

Social media

Direct messages are being sent to workers through social media, for example on Twitter. Again, these messages relate to the offer of a tax refund. HMRC confirms that they will never use social media to offer a tax rebate or to request personal or financial information. The details should be sent to phishing@hmrc.gov.uk and the message should be ignored.

Refund companies

Companies may contact people via text or email to advertise their services, where they offer to apply to HMRC for a tax rebate on your behalf but will do so for a fee. These companies are not connected to HMRC at all, and you should read disclaimers and ‘small print’ before utilising the service so that you are fully aware of the cost implications.

Export clearance process (delivery stop order) emails

The official name for emails which claim that goods have been withheld by customs and payment is required to secure their release is a ‘419 scam.’ People have received emails asking for payments or personal and financial information in order to receive lottery winnings, seized goods or packages, certificates or bonds and inheritance payments. The name of a real HMRC staff member may be used as the sign off to attempt to add an element of authenticity to the email but these sorts of communications are not genuine. Details should be sent to phishing@hmrc.gov.uk and the email discarded.