Protecting Your Firm and Clients from HMRC Phishing Scams

HMRC is the UK tax, payments, and customs authority. As a governmental body, HMRC holds a significant quantity of confidential personal data and financial information. Unfortunately, this makes impersonating HMRC a prime choice for cybercriminals.

HMRC cyberattacks centre around phishing. Opportunistic cybercriminals masquerade as HMRC, often using emails, texts, or phone calls, with a view to tricking individuals and businesses into revealing their personal or financial information, or both, to this supposedly trustworthy official government body. Phishing has become especially advanced in recent years, with AI tools allowing cybercriminals to right realistic messages making it harder and harder to recognise a true HMRC communication from a cyberattack.

Accountants, especially those who specialise in tax, have regular contact with HMRC, leaving them highly vulnerable to falling victim to these cyberattacks. This necessitates a high level of vigilance and care when dealing with HMRC in a professional capacity. Not only do accountants put their firm at risk when failing to spot phishing attempts, but they put their clients’ highly sensitive personal data at risk, too.

Read on to learn more about HMRC phishing scams, including how to spot a fraudster and how to protect your accountancy firm and clients from this vicious form of cybercrime.

What is Phishing?

Phishing involves a cybercriminal sending fraudulent emails or texts or making fraudulent phone calls purporting to be an official employee of a reputable company or business, with a view to inducing the victim to reveal their personal data or financial information.

What is the HMRC Phishing Scam?

Within the last few years, an increasing number of cybercriminals have been choosing to impersonate HMRC in their phishing attempts, likely due to the significant quantity of confidential personal data and financial information HMRC holds. The emails, texts, and phone calls made by cybercriminals can vary enormously, taking the shape of anything from offering fake tax rebates to threatening legal action for non-existent tax issues.

Spotting HMRC Phishing Scams

The government has issued a variety of official resources offering guidance to individuals and businesses for recognising and handling all kinds of HMRC phishing scams. In summary, this guidance includes the following:

• QR codes on HMRC letters should only ever lead to government guidance. If it leads elsewhere, never input personal or financial information onto the site it leads to.
• Whilst HMRC does send text messages, never open links or reply to texts that claim to be HMRC offering a tax refund, including those in connection with COVID-19.
• HMRC emails end in hmrc.gov.uk. However, fraudsters can spoof a genuine HMRC email address or change their display name to appear genuine. Any confusing or worrying tax refund emails should be forwarded to HMRC and then deleted.
• Suspicious calls that are supposedly from HMRC, especially including those that claim to be offering a tax refund or filing a lawsuit, should be ended immediately before contacting HMRC directly through the government website.

What This Means for Accountants

As trusted custodians of their clients’ financial information, accountants must remain vigilant at all times against cyberattacks. Accountants must ensure that they and their staff receive regular training to spot suspicious messages and phishing attempts and on following secure communication protocols. Additionally, taking the extra step to educate your clients about common phishing tactics can help to prevent them from being duped by fake HMRC communications.

Implementing strong cybersecurity practices, such as secure email systems with spam filters, impersonation protection, browser isolation, multi-factor authentication, and regular system updates, is essential for protecting your accountancy firm and clients from HMRC phishing scams.