Could you tell the taxman apart from a criminal? Whilst the physical differences in appearance may be stark, when it comes to communication, it can be hard to tell a fake HMRC letter or email from a real one.
For years, digital criminals have targeted taxpayers as the next big fraud victims. In 2013, HMRC said customers reported 91,000 phishing emails – attempts at conning small business owners, with promises of a tax refund, into giving away their bank card details.
Back then, the fakes were relatively easy to spot. A dodgy email in broken English would urge recipients to click a suspicious-looking URL to a web form. No wonder HMRC adopted a policy of never sending official emails.
But lately, the sophistication of these scams has levelled-up. Our clients, as well as our own firm, have been targeted by a new wave of spam with quality that appears far more authentic than ever before.
The new generation of fraud comes in printed letters as well as emails, it targets customers of HMRC or Companies House and is written in a far greater quality than its predecessors. The perpetrators behind these attempts have clearly read a lot of mail-outs from government agencies, as their modern phishing attempts closely mimic the language used in official notices, making it very hard for recipients to tell a fake HMRC letter from the real thing.
The logo reproduction on these fraudulent message has vastly improved and the fake website links they use are a lot less suspicious. Even the emails’ “from:” field now closely resembles government agencies’ own.
These days, I have to spend much more time trying to spot a fake HMRC letter from the genuine notices. Our company and clients get around five of these letters a week via post, taking us up to 30 minutes a month to check over. And we get loads of phishing emails every day. Phishing 2.0 is building to become a big drain on UK productivity.
Crucially, this generation of phishing is much more insidious. We continue to get the classic hoax notice requesting payment for overdue tax returns, but also a new wave of more sophisticated scams.
Recently, a fraudster wrote to us, having noted our recent trademark application on a government site, requesting that we pay them within a set time, lest our trademark be revoked. The attempt was deceptive, but it traded on a kernel of truth. These guys are targeting companies with overdue tax returns, demanding payment be made to them, not to the Revenue.
This happens because a transparency drive has helped put more information about small businesses online for all to see. Companies House now shows company director, address and filing status information for free – and fraudsters are mining it to spam legitimate, busy business owners.
But they aren’t just posing as government agencies. The list of business functions which the criminals are targeting is growing. We recently received an official-sounding notice from a company demanding payment for a photo we used on our website, purporting to be a copyright fine. That email actually came from a legitimate company – but one that should not be conning businesses into coughing up for things they don’t have to.
As an accounting practice, we also get phishing attempts specifically geared toward gaining our HMRC portal login codes, so that fraudsters could reap refunds from our clients. It means we have had to step up to employ strict new security awareness measures.
These fraudsters are presenting British businesses with a headache they could do without. You should be spending your time making more money and growing your customer base, not identifying forged communications. But there are steps you can take to ensure you don’t fall victim.
Identifying a fake HMRC letter
Don’t click on email links
If the email concerns your tax or financial affairs, assume an ulterior motive. Instead, manually type in the URL.
Never give card details to an electronic request
Don’t pay up via the form they want you to. Instead, go to the HMRC website, check amounts owing and pay from there.
Seek professional help
If you are represented by an accountant, let them take care of it. They have a keen nose for a fake HMRC letter –and also know the true positioning of your account.
Ask the tax man
If you don’t have a firm on the books, go to the source. Validate with the company from whom the message purports to have been sent, and find out whether the request was genuine.
Tool up on tech
Use the latest anti-virus software and email spam filters. You would be surprised what the latest updates can stop from ever getting through.
Lay down the law
If you have employees, you need to set out rules for dealing with mailed or emailed payment requests. Staff should always be aware of the above best practice and never put company finances at risk.
The Pandle phishing document
Lee Murphy is the owner of accountancy software Pandle.