In August 2020 HMRC received 74,800 reports of scam communications attempting to defraud the public. Text messages, phone calls, social media contacts and emails that are all designed to get taxpayers to hand over their money or valuable personal information. Of those, almost 41,300 directly offered fake tax rebates.
This is alongside a whole range of other cybercrime directly using the COVID-19 pandemic and strain on the NHS to con people out of their money or personal details.
And, as expected, the scammers also have seasonal campaigns. Not the traditional Hallowe’en costumes and Bonfire Night toffee. But carefully worded campaigns to take advantage of first year students. Many of them are in charge of their own finances for the first time and inexperienced in dealing with HMRC. The perfect target for criminals.
What’s the new tax rebate scam?
In August 2019, the number of reported scams that were specifically offering a tax rebate was 18,217. It’s the enormous jump to 41,300 this year that’s prompted HMRC’s press release. And there’s more than one new adaptation to their basic formula.
As people are becoming better at detecting fake emails, the criminals are sending more SMS messages. One recently reported message, supposedly from HMRC, telling the recipient they were due a tax rebate and they should click on the link to get their money. The website in the link is called “Coronavirus (COVID-19) guidance and support’ and uses recognisable HMRC font and logo. Once you’re on this site, they ask for several pieces of information and your Government Gateway password or passport number to prove your identity. Obviously, their aim is to steal personal details in order to sell them or access your accounts and steal your money.
Other new versions of the same scam offering tax rebate specifically aimed at people using the Self Employment Income Support Scheme (SEISS) and the Coronavirus Job Retention Scheme (CJSR). The SEISS one is a text message promising a tax rebate and leading to a fake HMRC website where you are asked to input private information (including your HMRC log-in details). The CJRS scam is an email that is signed by Jim Harra, who is the Chief Executive of HMRC, adding to its believability. But this one is an attempt to get business owners to reveal their bank account details.
As ever, one of the biggest problems is that the criminals running these scams know their stuff. The websites are convincing, with correct HMRC logos and contact details. And, like any good marketer, they stay up to date with current events. The fear of COVID-19, confusion around official financial support packages and an increasing number of taxpayers in difficult financial situation are all used to boost the success of these frauds.
HMRC NEVER TELL YOU ABOUT TAX REBATES BY TEXT, WHATSAPP, SOCIAL MEDIA OR EMAIL
This is the one vital fact that you need to remember. None of these methods of communication are used by HMRC to inform taxpayers that they are owed money. They are all fake. This makes your job much easier and, hopefully, reduces your concern about being taken in. HMRC also never ask for personal or financial details using these, less safe methods of communication.
HMRC letter to universities
Again, paying attention to the time of year, cyber criminals also home in on students as they start their first year at college or university. Many are living away from home for the first time and have sole responsibility for their financial situation. Their only contact with HMRC is likely to be if they have a summer job that was emergency taxed. This new relationship with HMRC means that they haven’t got real communications to compare fake ones to.
Leaving students even more vulnerable to losing money and identity theft. Add on the extra pressures of surviving independently under constantly changing COIVD-19 restrictions and there is a lot of scope for large numbers of young people to be ripped off.
HMRC wrote to universities, asking them to really make sure students are informed about the kind of risks they face. Here is an excerpt from that letter:
“We also know students can be approached to act as money mules, with offers of a reward to transfer funds through their own, genuine financial accounts, inadvertently laundering criminal funds.
New university students who might have had little or no interaction with the tax system might be tricked into clicking on links in such emails or texts. We are therefore asking each university to join us again in raising awareness of HMRC scams as early as possible in the academic year and in encouraging university leaders to ensure fraud prevention and cyber advice is integrated into your guidance for new students, to help prevent financial loss.”
The reason for the letter is explained by Michelle Donelan, Universities Minister: I want every student to be as safe as possible this term, both online and offline, and it is absolutely vital they are aware of the risks posed by tax scams. I encourage institutions to warn students about this issue and arm them with the information they need to identify and respond to tax scams if they should be targeted.”
Chief Executive of Universities UK, Alistair Jarvis, supports the message: said: “The security and welfare of students is always a priority for universities. The message to students, at what is a particularly stressful time, is to remain vigilant and question anything that seems unusual. Any student who fears their account may have been misused is encouraged to speak to either university support services, their bank, or to the police via Action Fraud.”
Financial Secretary to the Treasury, Jesse Norman points out that everyone has their part to play to keep students safe from cyber crime: “Cyber criminals use every method they can to steal money and personal data from students. We are concerned that remote working because of Covid-19 could lead to more tax scams targeting a new and potentially vulnerable university intake. HM Revenue and Customs is doing everything it can to clamp down on cyber fraud, but students also need to be vigilant. We would urge university principals to take a lead in helping to protect their students from these cyber criminals by raising awareness of what to look out for.”
What should I do with any suspicious looking HMRC communications?
Firstly, look at all messages, calls and emails from HMRC as suspicious. Don’t do anything with any of them until you have authenticated it. HMRC will not be asking you to ‘urgently confirm your personal details’. Nor will they phone and threaten the police if you don’t pay immediately. But they also won’t be telling you you’ve got a tax rebate by text (even if they’re relating it to coronavirus conditions). You need to think before you click. Quickly clicking through to links, assuming the email (for example) is genuine, totally works in the criminals’ favour. Slow down. Really look at what you’ve received. Is it a bit dodgy? Does it seem a bit too good to be true?
Check its authenticity by looking at HMRC’s examples and their list of recent communications.
Don’t worry, if it is genuine, HMRC advisors won’t be offended if you hang up to check. Just make sure you get the number from the GOV.UK website, not from the initial caller. They’ve got that all set up too, so you ring the scammers back and still end up losing money.
So, think before you click and do not give any personal or financial details. Then report it to HMRC phishing team. Forward texts to 60599 and emails or phone call details to [email protected]. At the moment, you can’t speak to the fraud team because the secure phone network is not currently available, due to COVID-19 restrictions.
