3 Common Tax Related Phishing Scams You Need To Be Aware Of
In general tax refunds are a popular topic of choice for phishing e-mails, a user can be lured by the incentive that they are due to receive a decent sum of money. Moreover, during tax season when e-mails to HMRC are quite regular it may be difficult to distinguish between a legitimate one and a fake one because you would be expecting correspondence with them. Here are the three most typical phishing e-mails that cyber-criminals will use during tax season.
1. Tax Return
The most common e-mail template that cyber-criminals use is one similar to below, it explains that the user is entitled to receive a tax refund. The link attached to the e-mail will lead the user to a cyber-criminal generated webpage that will ask them to fill out personal information in order for them to claim this refund. Once this information is entered it will be stored for the criminal to access and use as they wish.
Images taken from HMRC website
The signs to look out for:
- Firstly, HMRC has publicly said that they will NEVER send notifications via e-mail for tax rebates, refunds or to request personal information. So if you receive an e-mail like this without any prior notice via written correspondence then you should automatically be suspicious. It is always best to call HMRC before clicking on any links or filling out any personal information, they will be able to confirm the legitimacy of the e-mail.
- Secondly, when you are led to any webpage that asks you to fill out personal information you can check if it is legitimate easily by noting if the address begins in ‘https’. If the address is just ‘http’ like in the picture above, it is not safe for you to enter any sensitive information.
- Even when there is an https at the beginning, a good way to double check is to manually type out the address in a new window to see if the website is legitimate. If it is not, then the address will not work as it will be a fake link created by the criminal.
2. PDF Attachments
Similarly to above, HMRC also details on their website that often cyber-criminals will send users an e-mail asking you to open a PDF in order to get a tax refund. This will lead them to a website that will ask you to enter personal information as with the previous example. You should never open an attachment from an unknown address or any attachment that you were not expecting or did not request. If you are concerned you should call HMRC directly to confirm the legitimacy of the e-mail.
Image taken from HMRC website
3. CEO Fraud
Another way that criminals can access employee sensitive data through phishing is by impersonating a senior member of staff and sending an e-mail to a user in the finance or other related departments requesting data for review before it is filed to HMRC. These documents will detail tax and wage information for employees as well as their National Insurance number, home addresses and employment location which a cybercriminal would then have access to. Again this is a common e-mail that a member of such a department would receive and criminals can be very convincing by mimicking the format of your business e-mails. It can be very difficult to spot a legitimate e-mail from a fake one.
The signs to look out for:
- As this is something that is internal, the easiest way to double check before sending over any sensitive information is to catch the alleged sender in person or over the phone and ask them if they sent the e-mail. This is good practice and is a guaranteed way to ensure the legitimacy of any e-mail.
- Another way to ensure security is to have an agreed process of tax returns that all employees are aware of, therefore a sporadic e-mail that requests a review of data would be immediately noticeable because it would contradict the policy and timeline you already have. As well as this, often any company documents that senior members of staff would need access to will be available on a company hosted desktop so sending a document over e-mail would not be necessary.
HMRC have a whole webpage dedicated to phishing scams. It lists even more signs to look out for and its main recommendation is that if you receive ANY e-mail that claims to be from HMRC but does not seem legitimate you should forward it to firstname.lastname@example.org and then delete the e-mail. They encourage you to not open any attachments or click on any links that you are not 100% sure are legitimate.
Did you know that Xenace has launched a product to help businesses protect themselves against phishing scams? Phishwise is an interactive training platform that raises awareness and educates about the risks of phishing attacks. As 72% of all data breaches are related to staff receiving fraudulent emails there is no better time to take the initiative to educate yourselves and your staff on the warning signs and risks of phishing. Please see our website for information on all of the plans we offer and do not hesitate to get in touch with us if you have any questions or want to find out more.