Cybercriminals aim to catch you out with carefully crafted phishing emails, text messages and telephone scams impersonating the HMRC to force you into making a false tax return payment. These scams have also been known to harvest sensitive information from you such as bank details, login credentials and personally identifiable information (PII) for future attacks.
Tremendous work has been carried out by HMRC over the last few years to raise awareness and reduce the number of victims that fall to these scams. A dedicated Customer Protection team works around the clock to close down tax return scams and shares intelligence with law enforcement agencies to assist in stamping out cybercrime.
Recent statistics released by the HMRC show HMRC scams over the telephone fell by 97% over the last 12 months. In March 2021, HMRC telephone scams peaked at 79,477 and fell to 2,491 in December 2021. The HMRC also report a 92% drop in phishing email reports and a 97% fall in text message scams.
Mike Fell, HMRC’s Head of Cyber Security Operations, said:
We work incredibly hard to protect the public from these criminals who ruin lives by stealing from people. It’s great news that fewer people are receiving and reporting these attempted frauds, but it is still important they continue to report suspicious contact to us. We will continue to do everything we can to protect the public from these cynical attempts to impersonate HMRC to steal from people.
Though with the deadline for self-assessment tax returns fast approaching (31st January, though expected to be waived until the end of February), HMRC scams are re-circulating around this time. There is a particularly heightened risk this year as it’s reported that more than three million people are yet to file their tax returns.
How do you ensure you don’t fall victim to one of these attacks?
Know the facts
Anyone unable to pay their self-assessment tax by 31 January will not receive a late payment penalty if they pay their tax in full, or set up a time to pay arrangement (which spreads the cost over time), by 1 April.
You will never receive an email, text message, message in an application or phone call from the HMRC regarding a tax rebate or penalty or that asks you for personal or payment information.
Report HMRC scams
Reporting a scam helps to protect you and others from future attacks.
You can report something suspicious to HM Revenue and Customs’ (HMRC) phishing team, for example:
- a text message (forward it to 60599 – you’ll be charged at your network rate)
- a message in an application, for example WhatsApp – take a screenshot and forward as an email
- phone calls asking for personal information or threatening a lawsuit (report a phone call)
- An email (forward it to HMRC)
If you’ve given your personal details to someone
Contact the HMRC security team if you think you’ve given any personal information in reply to a suspicious email or text.
Include brief details of what you disclosed (for example name, address, HMRC User ID, password) but do not give your personal details in the email.
Additional support with stopping cybercrime
The most effective method to ensure you and your organisation don’t fall victim to cybercrime is to roll out cyber security training and phishing testing. Over 90% of security incidents within organisations are caused by employees, through attacks such as spear phishing and social engineering.
Our fully managed Security Awareness Training and Testing service significantly reduces the risk employees pose by correctly educating them on modern cyber threats and most importantly, keeping them vigilant by regular simulated phishing tests and remediation.
For more information on our SATT service, please visit our security awareness training page.