‘Phishing’ is the term used to describe the fraudulent act of emailing a person in order to trick them into revealing their personal or financial information. HMRC has issued guidance to help its customers recognise when an email from them is genuine or fake.
HMRC’s move to providing more and more of its services online means that taxpayers and agents are increasingly at risk of being targeted with emails from devious fraudsters. These emails, which often look authentic, will usually request personal information such as date of birth, bank details or passwords. With a Self Assessment tax payment date on 31 January 2016, now is the time to be extra vigilant.
HMRC have confirmed that they will never send notifications of a tax rebate by email and they will never ask people to disclose personal or payment information by email.
How to tell if an email is fraudulent
Check it’s from a genuine HMRC email address
Often the fraudster will create an email address which looks very similar to an HMRC email address, for example ‘refunds@hmrc.gov.uk’. You can find more examples of false email addresses in a list provided by HMRC here.
Be wary of links to fake websites asking for personal details
You may be asked to click a link in an email which will take you to a bogus website. These web pages can be very convincing but will often contains links, display fields or boxes asking you to input bank or credit card details and passwords. HMRC have warned that some phishers also add links to actual HMRC websites in their efforts to make the emails appear genuine.
The email isn’t personalised to the recipient
Fraudsters often send many phishing emails in one go and will therefore use a generic greeting such as ‘Dear Customer’ rather than a name.
Remember, attachments could contain viruses
Caution should be taken before opening attachments on an email; these may contain viruses designed to steal personal information from the recipient’s computer.
Report phishy emails
HMRC have advised that any suspicious emails should be sent to phishing@hmrc.gsi.gov.uk.
If you mistakenly supply personal information in reply to an email or text, send details of what has been disclosed (e.g. name, address – but not the actual details) to security.custcon@hmrc.gsi.gov.uk