Sophisticated self assessment scams ramp up ahead of deadline
22 January 2021: As the 31 January self assessment deadline inches ever closer, criminals are becoming increasingly credible in their attempts to defraud their victims using email, text and internet communications.
Scammers are producing increasingly convincing emails and spoof websites, which typically ask for money to be transferred into a new account, promising tax rebates or even threatening arrest if they don’t pay the fictitious tax owed.
One concerning development flagged to ICAEW Insights is that criminals are using HMRC’s public style guide, which contains information about the tax authority’s use of language and fonts. This makes it harder for taxpayers to spot fraudulent activity.
However, Jed Kafetz, Head of Penetration Testing at security services company Redscan, told ICAEW Insights that one of the best ways of spotting such attacks was still to look for errors and discrepancies in the style and presentation of communications.
Kafetz said the emotional response elicited by HMRC communications was one of the reasons scams of this nature were so successful and popular among cybercriminals. “Attackers know that people are fearful of HMRC’s powers and that this can prompt them to click a link without scrutinising it properly.”
“Just as a real bank would never ask customers to share their pin on the phone, the real HMRC never sends emails asking for details or payment,” Kafetz added. “Accountants should remind clients that HMRC only sends letters regarding taxpayer specific information, never emails. If everyone was aware of this fact, all HMRC phishing emails would fail and eventually stop. Alas, this is not the case yet and HMRC has to take down thousands of spoofed websites every year.”
Mike Fell, HMRC’s Head of Cyber Operations, said criminals were abusing HMRC’s well-known brand to add credibility to their scams. He stressed that HMRC would never contact taxpayers directly asking to pay money into a bank account.
“If someone texts, calls or emails claiming to be from HMRC, saying that you are due a tax refund or owe tax, or asks for bank or other personal details, it might be a scam. Check gov.uk for our scams checklist and to report tax scams,” Fell said.
ICAEW is warning that communications that are unexpected, threatening and with spelling mistakes or from an email address that looks wrong should ring warning bells.
Anita Monteith, ICAEW Tax Policy Manager, said bearing in mind the looming tax deadline, it was important to be increasingly vigilant and act with caution: “Do not give out personal information, download attachments or click on links in unexpected text messages or emails.
“Visit the HMRC website for advice on how to report suspicious calls or messages, and if you think you’ve been a victim of a scam and have suffered lost money, report it to Action Fraud,” Monteith added. Tax refunds can always be safely claimed by logging into your Personal Tax Account.
In the last 12 months, HMRC has responded to more than 846,000 referrals of suspicious HMRC contact from the public and reported over 15,500 malicious web pages to internet service providers. Almost 500,000 of the referrals from the public offered bogus tax rebates, where fraudsters use phone, email or texts to contact victims, primarily offering bogus tax rebates to extract personal details, and particularly their bank details.