Hackers and scammers are always looking for plausible online identities to use so they can dupe their victims and posing as HMRC has proved to be one of their most popular ploys in recent years. HMRC has received more than 2.6 million reports of phishing attempts over the past three financial years, while it also took action to remove over 20,000 fake websites during 2018.
Hackers are busy creating new scams all the time. For accounting firms, it’s vital to stay alert, since social engineering campaigns are now more targeted and sophisticated than ever before.
Here we look at some of the most common scams, as well as how you can protect your own firm and your clients from hackers.
Why do scammers love to imitate HMRC?
There are several reasons why cyber criminals love to use HMRC as a cover for their scams.
First and foremost, the HMRC name commands instant attention from recipients. People, quite understandably, fear falling foul of the tax authority, and this means they are more likely to respond to an HMRC letter or email without thinking. The offer of a tax rebate will naturally cause many recipients to drop their guard. Instead of being hit with a dreaded and unexpected tax bill, there is relief at the surprise bonus, which only increases the likelihood of responding without double checking where the message originated from.
In addition, posing as HMRC allows the hackers to cast a wide net with their phishing emails, as every adult in the UK will encounter the tax authorities. By contrast, other financial services companies will only have a fraction of those adults as their customers, meaning a far smaller potential target for the scam.
Some of HMRC’s high-profile blunders also work in the scammers’ favour. This year HMRC tried to fine taxpayers for failing to submit their self-assessment returns online – even though the deadline was still two weeks away. This type of mistake plays into the scammers’ hands by muddying the waters between real and fake communications.
HMRC’s communication style is relatively easy for scammers to imitate as all the information they need is publicly available. Additionally, the ability to duplicate HMRC’s communications methods is especially effective when combined with key dates in the financial calendar, such tax return and self-assessment deadlines.
However, the most popular HMRC-related scam remains the sending of spam emails offering tax rebates. Over the past three years, almost two million of these emails have been sent. As discussed above these are particularly potent as they play on a range of the victim’s emotions.
Protecting your own firm and your clients
Cyber criminals invest a lot of time and effort into looking plausible, however there are often tell-tale signs that their communications are not what they seem to be.
Check the domain of the sender email address to see if it is genuine and not a slight variation. Spelling mistakes and branding inconsistencies can also be indicators that something is amiss. It is vitally important to remember that HMRC does not ask for personal details via email, nor will it send links to click on. If unsure, never open an email, click on any links or download any attachments.
If a communication requests that you perform an action, such as sign in to a personal or business tax account, go to the website directly to do so, rather than follow a URL in the communication. Calling organisations to check the validity of requests is also a sensible option.
For additional protection, there are proactive network monitoring tools as well as authentication technologies which can help to reduce the receipt emails from unknown senders. Cyber awareness training and assessments are also highly effective ways to reduce the risk of employees falling foul of scams.
Accountants should offer basic cyber security advice to both new and existing clients. This could involve highlighting known scams and sending timely warnings around key tax and accounting dates. HMRC recommends forwarding any suspicious emails to email@example.com. Alternatively, you can check HMRC’s guidance on recognising scams for further information.