⚠️ We are currently updating our 2021/22 tax guidance across the website
Protecting yourself online from phishing, malware and scams
With more and more government information and services moving online, it is important to understand how to protect your equipment and your personal details and information from theft, loss, attack or damage.
Techniques that cyber criminals may use to try to commit identity and financial theft and fraud include malware and phishing. These are serious crimes. Unfortunately, many people do not realise that they are being targeted until it is too late.
⚠️ Do not give out private information, reply to text messages, download attachments or click on any links unless you are sure they are genuine.
Guidance published on GOV.UK will help you decide whether messages from HMRC are genuine. This guidance includes examples of websites, emails, letters, text messages and phone calls used by scammers and fraudsters pretending to be HMRC.
⚠️ Warning: There are reports that scammers and fraudsters are using the coronavirus (COVID-19) situation to try to steal money or valuable personal information or get access to your computer or network. See our website guidance for further information.
In addition, there is more general guidance on protecting yourself online published by the National Centre for Cyber Security on GOV.UK. It gives useful information on passwords and backing up information.
Malware is the name given to software that has been designed to disrupt or damage data either your software or hardware. Types of Malware include viruses, worms and Trojans.
Malware can get into your computer or mobile phone in a variety of ways. Most involve a combination of technical factors and human interaction. For example, someone who is creating malware might:
- get you to download their malware by putting a link in an email or attaching the malware to an email.
- get you to download their malware by putting a link in an SMS text message.
- spread malware via a USB drive which transfers to your computer when you plug it in.
- spread malware via a downloadable mobile application (app).
- reproduce what looks like a genuine webpage (known as a malicious webpage) or insert a link into a genuine web page (known as a malicious link) to entice you to download the malware to your device.
Phishing is when someone sends a fake email, purporting to be from a legitimate organisation such as a bank, online retailer or government department such as HMRC. Phishing emails are designed to steal your personal or financial details, or to deliver malware to your software or hardware.
HMRC is, in fact recognised as one of the most phished brands in the world. The most common HMRC related phishing email heading is ‘Tax Refund Notification’. An email with this heading may ask you to update or to verify your personal and financial information. This may include your date of birth, login information, account details, credit card or PIN numbers.
To make the HMRC phishing emails look more authentic criminals will spoof, or masquerade, as legitimate HMRC domains, most commonly @HMRC.gov.uk.
These emails frequently appear to be genuine but if you divulge information you may be at serious risk of identity or financial theft. You also risk having your personal details sold on to other criminals.
⚠️ HMRC will never offer you a repayment, notify you of a tax refund or ask you to disclose personal or financial information by email or fax. If you choose to receive paperless notifications from HMRC, you may receive email messages which will direct you to sign in to your HMRC online account from where you can view the notification. HMRC will never include a link to your account.
Types of Phishing
Unlike an ordinary phishing email which is sent out to a large number of people rather than targeted individuals, spear-phishing will have been specifically crafted and targeted. It will seemingly come from someone or a recognised organisation such as HMRC that seems relevant to the person targeted. The content of the email will also be of a pertinent nature to the person targeted.
Spear-phishing is often much more sophisticated and elaborate than ordinary email phishing. Attackers will find out information from social media sites (like Facebook and LinkedIn) to tailor the email so that it is extremely accurate and compelling. The purpose of spear-phishing is often to obtain sensitive information.
SMiShing: (SMS Phishing)
SMiShing is the text message equivalent of email ‘phishing’. It involves sending a message containing a malicious link that the recipient is enticed to follow.
HMRC may occasionally send text messages but these messages will never request personal or financial information.
If you have any doubt about the authenticity of a SMS text message which claims to come from HMRC, please do not follow any links within the message, disclose any personal details or respond to it.
Vishing: (Voice Phishing)
Vishing is the act of using the telephone in an attempt to scam you into divulging private information that will be used for identity or financial theft. The scammer usually pretends to be a legitimate business and fools the victim into thinking he or she will profit.
HMRC is aware that some people have received telephone calls or home visits from people claiming to be from HMRC. These bogus callers may threaten you with arrest or legal action unless you make a tax payment or encourage you to provide personal or financial information in exchange for ‘tax advice’ or a bogus refund.
Sometimes, when you call HMRC and they need to investigate your query further, they may offer to call you back. In this case, for extra protection, they may ask you to tell them a password that they must use before you will speak with them again. In other words, when they call you, you can ask them to quote back to you the password.
⚠️ Telephone numbers can be faked and you should never trust a number you see on your display, even if it looks like an official HMRC number. If you unsure about the identity of a caller, ask for their name and the purpose of their call and then dial the appropriate HMRC helpline number and either ask to speak to that person and/or explain the nature of the call you have received and ask HMRC to confirm whether it was a genuine call. If you are unable to verify the identity of a caller, we recommend that you do not liaise with them. Never call a number given to you by somebody who phones you unless you are sure it is genuine. A list of HMRC numbers is available on GOV.UK.
What should you do if you receive a suspicious contact from HMRC?
HMRC refund notification by LITRG
- If you cannot verify the identity of the person contacting you, do not liaise with them.
- If you think you have received a HMRC related phishing email or text message, you can check it against the examples published on GOV.UK.
- Forward every suspicious email from HMRC to their phishing team at email@example.com (even if you receive the same email several times) and then delete it permanently from your computer and email account. HMRC will never offer you a repayment, notify you of a tax refund or ask you to disclose personal or financial information by email or fax.
- Forward details of letters, faxes or phone calls to the same team at firstname.lastname@example.org.
- If you receive a text message claiming to be from HMRC offering a ‘tax refund’ in exchange for personal or banking details, do not respond and do not open any links contained within the message. Forward a suspicious text message from HMRC to 60599 and then delete it permanently. You will be charged at your network rate to do this. HMRC may occasionally issue text messages, however these messages will never request personal or financial information.
- You may also wish to consider reporting any incidents to Action Fraud.
What if you have fallen victim?
- If you think you have been the victim of a HMRC related scam, contact HMRC at email@example.com. Include a brief outline of the information you disclosed for example, you will need to tell HMRC whether you disclosed your name or address, or perhaps your HMRC User ID or password. But never include all of your actual personal details together, for example name, address and National Insurance number, in the email.
- You should also monitor your bank and /or credit card statements for unusual transactions and notify your bank and/or card issuer of any breach or unauthorised activity as soon as possible. If you gave out card details you should also contact your bank or credit card provider to explain what has happened and follow their advice which may include getting a new card or replacing PIN numbers or passwords
Useful sources of information
- Get Safe Online has practical advice on how to protect yourself, your computers and mobile devices and your business against fraud, identity theft, viruses and many other problems encountered online.
- GOV.UK guidance on :
- Cyber Aware (formerly Cyber Streetwise) is a Government backed initiative that gives advice on how to make good cyber security habits second nature for both individuals and businesses