This is a question that is often asked of accountants, but how can you spot a fake email purporting to be from HM Revenue & Customs (HMRC)?
To help businesses, HMRC has issued new guidance that lays bare some of the techniques used by fraudsters and gives a comprehensive guide on how to tell a genuine email from the taxman.
Below are some of the points taken from the HMRC website to help spot fraudulent emails and a scam, known as phishing.
Identifying a fraudulent email:
- HMRC says one simple way to spot a fraudulent email is spelling errors and mistakes with the email’s text. This, they say, is an obvious give away.
- Check the ‘From’ address comes from the Gov.uk site. Fraudsters often have email accounts with HMRC or Revenue names in them, for example firstname.lastname@example.org. These email addresses are used to mislead businesses and individuals.
- However, HMRC is keen to point out that many smart fraudsters now have access to falsified ‘from’ addresses to look like a legitimate HMRC address for example ‘@hmrc.gov.uk.
- They say anyone who is not 100 per cent sure of the origin of the email should avoid opening it and if you do open the email and you’re in doubt don’t click on any links or downloads.
- Be suspicious of any email that request immediate action. HMRC will not make demands in this manner.
- Fraudsters often send high volumes of phishing emails in one go so even though they may have your email address, they seldom have your name. Be cautious of emails sent with a generic greeting such as ‘Dear Customer’. Emails from HMRC will always use the name you’ve provided to them and include information on how to report phishing emails to HMRC.
Take note that emails from HMRC will never:
- Notify you of a tax rebate.
- Offer you a repayment.
- Ask you to disclose personal information such as your full address, postcode, Unique Taxpayer Reference or details of your bank account.
- Give a non-HMRC personal email address to send a response to.
- Ask for financial information such as specific figures or tax computations, unless you’ve given us prior consent and you have formally accepted the risks.
- Have attachments, unless you have given prior consent and you have formally accepted the risks.
- Provide a link to a secure log-in page or a form asking for information – instead we will ask you to log on to your online account to check for information.
If you believe you have received a phishing email related to HMRC, or you are not sure if it is genuine you can forward any suspicious emails or details of text messages to email@example.com or check HMRC’s guidance on recognising scams.
If you believe you have given out any information to fraudsters then you should contact firstname.lastname@example.org. Include brief details of what you disclosed (e.g. name, address, HMRC User ID, password) but do not give your personal details in the email.