Phishing Email and not HMRC

HMRC logo

How to Identify and Respond to a Phishing Email Masquerading as HMRC Communication

In our digital age, the security of financial transactions and communications is more crucial than ever, particularly when it comes to interactions with institutions like Her Majesty’s Revenue and Customs (HMRC). Recently, a new type of phishing email has been circulating, purporting to be from HMRC regarding VAT submissions. These emails may look official, but it’s important to understand how to recognise and handle them.

Characteristics of the Phishing Email

The email in question typically opens with a formal greeting and appears to be an update about your VAT submission. It prompts you to log into your HMRC account through a link provided in the message and may even instruct you to navigate to a specific section labelled ‘Messages’. Here’s the catch: the email encourages the use of a QR code, supposedly for verification purposes.

Red Flags to Watch Out For

  1. Unsolicited QR Codes: HMRC does not typically send out QR codes for accessing personal tax information. The use of QR codes in emails is a common tactic used by cybercriminals to redirect users to malicious sites.
  2. Generic Greetings: Phishing emails often use generic titles like “Dear Customer” or might get your name slightly wrong. An official email from HMRC will address you correctly by your full name or your company’s registered name.
  3. Urgency and Immediate Action: Phishers often create a sense of urgency. The email may urge quick action, suggesting that failing to do so could lead to problems with your VAT records.
  4. Links to Unfamiliar Sites: Always hover over any links included in the email (without clicking) to see the URL. If the link address looks suspicious or does not lead to the official gov.uk sites, it’s a clear indicator of phishing.

How to Safely Respond to Suspected Phishing

  • Do Not Interact: Do not click on any links, scan QR codes, or follow any instructions within the email.
  • Verify the Communication: Access your HMRC account directly through the official government gateway site by typing the URL into your browser, not by following any links in the email.
  • Report the Phishing Attempt: Forward the email to HMRC’s phishing team ([email protected]) and then delete the email from your inbox.

Best Practices for Online Security

  • Regular Updates: Ensure your anti-virus and anti-malware software is up to date.
  • Secure Connections: Always use secure, private Wi-Fi connections when accessing sensitive information.
  • Education and Awareness: Educate your team about the dangers of phishing scams and encourage them to be vigilant.

In summary, while digital communication is a vital part of modern business, it also comes with risks. By staying informed and cautious, you can protect yourself and your business from the detrimental impacts of phishing scams. Remember, when in doubt, it’s better to err on the side of caution and verify any suspicious communications through official channels.

Example of email

Dear XXXXX Limited,

Here’s an update on your VAT submission:
For in-depth details, please sign into your HMRC account, navigate to the ‘Messages’ section, and look for the message titled ‘Making Tax Digital for VAT Return’. This step is crucial for maintaining accuracy and security. You may be asked to verify your identity.

For best results, open this email from a desktop or computer, then use your mobile device to scan the QR code.

QR Code

How to Scan a QR Code

Step 1: Open your phone’s camera app and point it at the QR code.

Step 2: Hold steady until the QR code is clearly visible. No need to take a picture.

Step 3: Tap the link that appears on your screen to open the associated webpage.

This is an automated email. Please do not reply.

Government Gateway