Tax & admin 16 March 2017

Could you spot an HMRC phishing scam if sent one?

SMS Phishing scam
A phishing scam can come in many forms, from email through to SMS
Lee Murphy, owner of accountancy software business Pandle, guides us through some simple steps effective in identifying a phishing scam or fraudulent HMRC letter.

Taxman or criminal. Once an easy judgement call, deciphering between real and forged communication from HMRC, and others, is becoming an increasingly challenging feat.

In 2014 alone, almost 50 per cent of HMRC customers reported that they had been targeted by a phishing scam and in 2013 there were 91,000 phishing emails were passed on to the trade body.

In the past, broken English and dodgy-looking web-links clearly marked phishing scams apart from official HMRC communication. But now, the sophistication of these scammers has noticeably stepped up. Our firm, as well as our clients, have been targeted by spam that appears increasingly genuine.

Today, you can expect to receive fraudulent requests for bank details and money, in printed letters and emails. The written quality is far greater than in the past, and the senders appear ? in cases ? to be authentic. It would seem that the criminals behind these phishing scams have brushed up on government mail-outs as their attempts closely mirror the language used in official notices ? making it much harder to vet the forged from the real.

In addition, logo reproduction has greatly improved and website link-throughs are far less suspicious. Even the emails? sender tag now closely matches the government?s own.

I spend much more time today, than I have in the past, trying to sift out the fake notices from the genuine. On an average week our clients, and our firm, receives around five fraudulent letters in the post, and we?ve stopped counting the number of phishing scam emails we receive on a daily basis. Overall, this new wave of phishing is becoming a large drain on productivity.

More of these attempts are coming in the door due to a transparency drive that has pushed information about businesses online. Companies House now displays company addresses, filing status and business directors for free. Fraudsters use this data to target business owners with requests for information and payments that seem specific to their company.

Just recently we had a letter come in regarding our trademark application, information of which can be found on a government site, requesting that we pay a fee by a certain date or have our application revoked. Although we identified this as a phishing scam, the fact that criminals can now use your business? personal information against you is highly alarming.

Fraudulent email sent to Pandle regarding its trademark application

Pandle_phising letter (1) (2) copy 2

But don?t just expect phoney communication from those posing as government agencies. We also recently received a notice from a legitimate company requesting payment for a photo that we used on our website, flagging a copyright breach. We knew that the photo in question was used fairly and that the attempt was unfounded, but it came as a surprise to see that it?s not just individuals behind these phishing scam attempts, companies are too.

As we?re an accounting practice, we also have fraudulent attempts aimed toward gaining our HMRC portal login codes so that criminals can target our clients. We?ve had to step up our security awareness measures to combat this.

Overall, these scammers are giving British businesses a problem each could do without. Business owners should be spending their time focusing on their operations rather than trying to figure out if they owe money to a government body or not. This said, there are steps that you can take to reduce your chance of falling victim.

Avoid email links

If an email asks for information regarding your taxes or finances, you can assume an ulterior motive is at play. Rather than clicking on the link in the email, manually type in the URL.

Don?t give in to an electronic request

Instead of paying via the form you?re guided to, go to HMRC?s website and check amounts owed and pay there.

Ask a professional

If you have an accountant, tag them in. They?ll be able to spot a fake far quicker than you might, and they also have an overview of your accounts.

Go to the source

If you don?t have an accountant to go to the next best thing is to go straight to the source. Ask the company in question directly and find out if the request was real.

Update your tech

Ensure that you have the latest anti-virus software installed and effective spam filters. A no-brainer, but a simple solution that could save you big.

Set protocols

If you have employees, ground rules need to be set for dealing with email and printed payment requests. Your staff should always be aware of the best practice and should never put the company?s finances at risk.

Lee Murphy is the founder and CEO of Pandle.

Have a look at other HMRC content:

Sign up to our newsletter to get the latest from Business Advice.