Several of my clients have recently told me that they’ve been receiving emails, supposedly from HMRC, inviting them to click links within the emails in order to apply for tax refunds. Regrettably, some have confirmed that they did indeed click the links then log onto fake HMRC websites, which looked every bit real to them, thereby giving away such sensitive information as their bank details and things like their mother’s maiden name. Handing over such sensitive information to fraudsters would be an expensive mistake. In view of this, I thought I would give readers more information on what to look out for, what to expect to receive from HMRC, and what not to.

Firstly: How to Recognise a Scam Email

Here is an example of a real phishing (scam) email recently received by one of my clients. I have highlighted various areas of the email to indicate some of the telltale signs that the email is, indeed, a phishing attempt by fraudsters rather than a genuine communication from HMRC.

Some of the many telltale signs that this email is fake include:

• The sender is from a non-official domain (hmrcupdate.com is *not* a genuine HMRC website). Be careful, though, because some of the more advanced phishing emails do include genuine HMRC domains through what’s known as domain ‘spoofing’.
• The recipient is not identified by name in either the ‘To’ field nor in the salutation (‘Dear Sir | Madam’ is a dead giveaway, as is the fact that the email was sent to ‘undisclosed recipients‘!). Genuine HMRC emails will always address you by the name you provided them.
• Phishing emails often include silly errors that simply would not be published by the likes of HMRC. Under the logo, the date is wrong — it does not even mention a month!
• The email states that you ‘are due some refunds‘ (plural). If HMRC did send emails announcing that a refund was available (and it doesn’t) then it would be singular, not plural! This is one of many hints that the sender has poor English (read on).
• ‘Press here‘ is another example of poor English. Of course, in the UK, we’d say ‘Click here’.
• ‘Povide us‘ is clearly spelt wrong — there should be an ‘r’ in ‘Provide’. Spelling errors are common indication that the email is non-genuine and has instead come from overseas where English spelling and grammar are often not as accurate as they should be.
• Further down it says ‘for refund‘ whereas it should say ‘for the refund’. Poor English/grammar again and another hint that this is a scam.
• When you hover over the link included in the email, if your email application’s “status bar” is showing at the bottom of the screen, you can see where the link is pointing to. In this case it’s pointing to a goo.gl domain and this simply wouldn’t be the case if this was a genuine HMRC email.
• Lastly, the email states that you have only 5 days to action the request. That is yet another telltale sign that this is a phishing scam. Fraudsters try to panic you into acting whereas HMRC would not make such a statement in a genuine email.

So you can see, when you look very carefully, that this is clearly a scam email. However, I should warn readers that other phishing emails are not so obvious. In fact, I have seen some real improvements in scam emails in recent months. One recent email was so genuine-looking that we’re not even 100% sure ourselves whether it’s a scam or not.

So what do you do if you are still not sure if an email is genuine?

If, after close scrutiny, you are still not sure whether the email is genuine, there are several things you can do …

1. HMRC invite you to send possible phishing emails to them at https://www.gov.uk/report-suspicious-emails-websites-phishing.
2. If you do want to visit the HMRC website, instead of being tempted into clicking links in emails or SMS messages, navigate to the HMRC site (and any account you may have there) manually via your internet browser. To clarify, navigate from scratch by typing the known genuine web address into the address bar, rather than clicking any links in any emails or SMS messages.
3. Never open attachments contained in emails that you weren’t expecting. Most that we’ve received are phishing scams or contain malicious code, so we simply ignore them.
4. An HMRC PDF guide showing more examples of phishing emails is available here and this will give you more insight into what to look out for and what tricks the fraudsters are up to.
5. Lots more information about what you should – and shouldn’t – expect to receive from HMRC is available here. The list of genuine potential communications from HMRC is a great place to start if you are unsure of the validity of a communication you have received (whether via email, post, SMS). For example, HMRC simply do not send *any* emails telling people that they are due a refund.
6. Lastly, you can always ask me !. I am used to spotting the signs of phishing scams so feel free to get in contact if you’d like a second opinion.

Emails from HMRC will never:

• tell you that you can get a tax refund;
• offer you a tax repayment;
• ask you to disclose personal information such as your full address, postcode, Unique Taxpayer Reference (‘UTR’) or details of your bank account;
• give a non-genuine HMRC email address to reply to;
• include links to supposedly secure log-in pages or forms that ask ask for sensitive information. Instead, you will be asked to manually log on to your online HMRC account in the way we describe in the preceding section.

The same problems exist, of course, for anything to do with bank accounts, PayPal accounts, Apple, Amazon and eBay accounts, and so on. It’s not just limited to emails either. Fraudsters are now using SMS messages and, of course, are constantly looking for vulnerabilities in websites; it is now commonplace for websites to be under attack continuously. So the overriding message is that you need to keep your wits about you and be careful. Keep your anti-virus/security software up to date and do not log into sensitive accounts on public computers. Keep your website secure. Use strong passwords and so on.

I hope that this guide has helped, in particular through the real example of a phishing email above. If you have any queries just let me know. And, of course, if you’d like help obtaining a real tax refund from HMRC, please get in touch.  My clients usually have their refund in just a few weeks.