P: +44 (0) 23 8076 2570

recognising phishing emails

HMRC updated guidance on phishing scams

//
Comment0
/

HMRC genuine and phishing/bogus emails and calls

HMRC have issued an update of their guidance on how to recognise genuine HMRC contact be it via email or text.

They have also issued a warning regarding two telephone scams that they are aware of.

The details of the two phone scams are as follows:

  • Taxpayers receive telephone calls claiming to be from HMRC requesting personal information in order to receive a tax refund, or to demand money for an unpaid tax bill.
  • A recorded message is left, allegedly from HMRC, advising ‘that HMRC are bringing a lawsuit against the individual and is going to sue them. The recipient is asked to phone 0161 8508494 and press “1” to speak to the officer dealing with the case.

HMRC are advising that taxpayers should not reply to the message and should report this to Action Fraud, or you can call Action Fraud on 0300 123 2050.

Internet links: HMRC guidance


Genuine HMRC contact and recognising phishing emails

1.Current list of digital and other contact issued from HM Revenue and Customs (HMRC)

1.1 Tax-Free Childcare Communications

From the 15 August 2016, HMRC, in partnership with TNS BMRB (an independent research agency), will be inviting people to register and take part in an early trial of Tax-Free Childcare.

The emails and letters will include the HM Government logo and contain links to GOV.UK guidance and a site for people to register an interest in taking part in the trial.

Communications to Childcare Providers

From July 2016, HMRC, in partnership with National Savings and Investments (Nsandi) will be sending emails and letters to childcare providers, these e-mails contain information about Tax-Free Childcare.

The sender address may show as “Nsandi” and contains a link to additional information available on GOV.UK, such as ‘top things childcare providers should know’. These communications will never ask for personal or financial information.

1.2 Employer Bulletin 60 – email

HMRC sends informational emails several times a year to employers who have registered to receive them. These emails never ask you to provide personal or financial information. The latest batch of emails issued by HMRC will be sent from 15 June 2016. The emails are titled ‘Important information for employers’ and refer to Employer Bulletin 60. The emails include links which direct recipients to pages on the HMRC website, including advice about online security.

1.3 Trade statistics import/export data emails

HMRC’s Trade Statistics Unit regularly sends emails to business customers regarding import and export statistical data, and the related services accessed from HMRC’s trade statistics website.

These include business alerts, service updates, deadline reminders, data quality reviews and survey requests. These messages may include links to further information, educational or survey content on the uktradeinfo website.

They will not request any personal, payment or tax related information.

1.4 Tax credits letters from Concentrix

A company called Concentrix is working on behalf of HMRC to check that people are receiving the correct amount of tax credits.

Some tax credits customers will receive a letter that shows both HMRC and Concentrix logos. The letter will tell customers what they need to do, and the information they may need to provide. Concentrix may also contact customers by telephone.

HMRC and Concentrix won’t ask customers to disclose any personal or payment information by text or email. Both HMRC and Concentrix are committed to ensuring the security of customer information.

1.5 Educational emails

HMRC will periodically send emails to customers to support their business life events. The emails will include links to relevant online digital education material used to offer you help in relation to your business and will appear in your address bar as no.reply@advice.hmrc.gsi.gov.uk. These emails will never ask you to provide personal or financial information.

1.6 Debt Management

Text messages

HMRC is sending text messages to some customers, explaining what you need to do if you’re behind with your payments. These messages will also give details for payingHMRC or a helpline number for you to contact.

HMRC are also sending messages that will give advice about the importance of making payments using the correct information.

The messages won’t request any personal or financial information.

Voice prompts to landline and mobile phones

HMRC is sending voice prompts to some customers, explaining what you need to do if you’re behind with your payments. Customers will receive these as an inbound phone call giving details for paying HMRC or a helpline number for you to contact.

HMRC are also sending messages that will give advice about the importance of making payments using the correct information.

The messages won’t request any personal or financial information.

1.7 Inheritance Tax online registration and application emails

From 2 November 2015 HMRC will be sending out emails to customers inviting them to trial the new Inheritance Tax online private beta service. Customers will be asked to use the Government Gateway and will need to have previously registered for self-assessment tax returns with HMRC before applying.

Only customers who have already had contact with the Inheritance Tax and Probate helpline and have agreed to take part in the pilot will be sent this email.

These emails will not ask you for any personal or financial information.

1.8 VAT emails

1.8.1 VAT Returns – email reminders

HMRC will send an email to customers to remind them when their VAT return is due if they have registered to receive email reminders. The emails are entitled ‘Reminder to file your VAT Return’ and contain links to a further information page and a link to the sign in page on GOV.UK. These emails will never ask you to provide personal or financial information.

1.8.2 VAT registration – email

HMRC will send an email to customers who have registered for VAT using HMRC online services. HMRC will use the email address customers have provided to advise that they need to log into their online tax account in order to view a message in the secure messaging area. These emails will never ask you to provide personal or financial information.

1.8.3 VAT debts – email reminders

HMRC may send an email to customers who are overdue with VAT payments. HMRC will use email addresses that customers have already provided and will recommend that customers pay online to avoid further action. These emails will never ask you to provide personal or financial information. You will not be able to reply to the emails, which will be sent from no.reply@advice.hmrc.gsi.gov.uk.

2.How to tell if an email is fraudulent

As well as spelling mistakes and poor grammar, there are a number of things you can look out for to help you recognise a phishing/bogus email.

2.1 Incorrect ‘From’ address

Look out for a sender’s email address that is similar to, but not the same as, HMRC’s email addresses. Fraudsters often have email accounts with HMRC or revenue names in them (such as ‘refunds@hmrc.org.uk’). These email addresses are used to mislead you.

However be aware, fraudsters can falsify (spoof) the ‘from’ address to look like a legitimate HMRC address (for example ‘@hmrc.gov.uk’).

If you’re not 100% sure that the message has come from us don’t open it. If you do open the email and you’re in doubt don’t click on any links or downloads.

Examples of phishing and bogus emails

2.2 Personal information

Emails from HMRC will never:

  • notify you of a tax rebate
  • offer you a repayment
  • ask you to disclose personal information such as your full address, postcode, Unique Taxpayer Reference or details of your bank account
  • give a non HMRC personal email address to send a response to
  • ask for financial information such as specific figures or tax computations, unless you’ve given us prior consent and you have formally accepted the risks
  • have attachments, unless you have given prior consent and you have formally accepted the risks
  • provide a link to a secure log-in page or a form asking for information – instead we will ask you to log on to your online account to check for information

2.3 Urgent action required

Fraudsters ask for immediate action. Be wary of emails containing phrases like ‘you only have 3 days to reply’ or ‘urgent action required’.

2.4 Bogus websites

Fraudsters often include links to webpages that look like the homepage of the HMRCwebsite. This is to trick you into disclosing personal/confidential information. Just because the page may look genuine, does not mean it is. Bogus webpages often contain links to banks/building societies, or display fields and boxes requesting your personal information such as passwords, credit card or bank account details.

You should be aware that fraudsters sometimes include genuine links to HMRC web pages in their emails, this is to try and make their emails appear genuine.

2.5 Common greeting

Fraudsters often send high volumes of phishing emails in one go so even though they may have your email address, they seldom have your name. Be cautious of emails sent with a generic greeting such as ‘Dear Customer’. Emails from HMRC will always:

  • use the name you’ve provided to us
  • include information on how to report phishing emails to HMRC

2.6 Attachments

Be cautious of attachments as these could contain viruses designed to steal your personal information.

3.HMRC SMS Text Messages

3.1 SMS text message – activating 2-Step Verification

2-Step Verification is an additional security feature which helps to prevent someone else from accessing a customer’s digital account, even if they have their User ID and password. When activating 2-Step Verification, HMRC will send an access code via SMSto the customers’ nominated mobile phone number, which the customer will need to complete the set-up. These SMS messages will never ask the customer to provide personal or financial information.

This means that once customers have activated 2-Step Verification, the only way to access the account will be with the Government Gateway user ID, Password and access to the phone which has been registered.

HMRC is planning ways of increasing the number of users who can benefit from 2-Step Verification.

3.2 SMS Text Message – 2-Step Verification for future log-ins

After activating 2-Step Verification, each time the customer logs in, HMRC will send an access code via SMS to the registered mobile phone number, which will be needed to complete the log-in process. These SMS Messages will never ask the customer to provide personal or financial information.

If a customer no longer has access to the mobile phone registered for 2-Step Verification, they will need to ring the Online Services Helpdesk and verify their identity to deactivate it. The customer can then register their new mobile number for 2-Step Verification when they log in the next time.

3.3 Tax credits – SMS text or voice prompts

HMRC is contacting some tax credit customers by SMS and voice message asking them to update or confirm their circumstances if the details they hold (ie income or working hours) differ from the information shown on their employer records.

Tax credit customers who send in their renewal or a new claim will receive an SMS text message confirming that HMRC has received their claim or renewal and estimated processing times. Customers may also receive an SMS text message to remind them to renew their tax credits claim. These reminder messages will only direct them to the GOV.UK website to renew their claims online. These messages will not request any personal or financial information.

Tax credit customers who report a change in their circumstances using the online service may receive an SMS text message confirming that HMRC has received and processed their change. These messages will not request any personal or financial information.

If you have received a phishing/bogus email related to HMRC, or you’re not sure if it’s genuine, you can read about how to report internet scams and phishing to HMRC.

Leave a Reply

Social media & sharing icons powered by UltimatelySocial

Enjoy this article? Please spread the word :)