TaxCalc Blog

Protecting Yourself from Phishing Scams

In something of an irony (considering who’s received it), a phishing email beat my spam filter last night and landed in my personal inbox. Purporting to come from HMRC, I apparently have a VAT tax refund waiting for me and need to follow the link to fill out a form to claim it. What excitement for a Thursday evening!

I think that everyone will agree with me that this is really quite a suspicious looking email. However, looking today at the kinds of emails TaxCalc generally receives from HMRC, especially with regard to VAT and VAT MOSS, even official emails from HMRC can appear to be quite generic.

For example, VAT return reminders are addressed to Sir or Madam and VAT MOSS emails to just “VAT MOSS user”. Whilst said emails may quote the name of the company and our VAT number, these can easily be found on our website. 

The email prompted me to think about how we can stay safe with phishing scams.

Staying safe

There are a number of ways that can hep you to stay safe and the key, largely, is to approach everything with a degree of caution.

1. Avoid phishing emails in the first place. Your email provider may have an anti-spam service, which does a lot of background checks on where the email has come from before it gets to your inbox. Anti-spam software does something similar once it’s arrived.
2. Check whether the email is addressed to you. Although HMRC appear to send generic emails, if the email isn’t addressed to you directly, you probably shouldn’t follow the links.
3. Check who has sent you the email. Quite often phishers send you emails from addresses that appear similar to bona fide organisations. HMRC’s emails end with hmrc.gov.uk, although scammers may try similar addresses such as hmrc.org or hmrc.co . Note that some phishers can mask the sending email address with an official one, making it look legitimate.
4. Consider poor grammar and spelling. Although humans write emails and can make the odd typo, generally official emails are proof read at least once before being sent out. Too many spelling mistakes or instances of poor grammar should pique your concern.
5. Consider the quality of the email. Most emails sent by organisations contain complicated code to control their layout. If you receive a simplistic email, perhaps with poor quality or out dated images, you should become suspicious.
6. Hover over links before clicking. If you hover over a link for a few seconds, your email application should show you a tooltip to tell you where it will go. If it’s legitimate, the destination should include a reference to the expected website.
7. Don’t follow the links. If you remain unsure, don’t click on the links. Any well designed website should always help you find where the link was purporting to take you.

HMRC themselves have prepared a page on GOV UK that contains a list of all of the genuine contact emails that the organisation sends out as well as advice to help determine if an email you might receive could be fraudulent.

You can find this page here: https://www.gov.uk/government/publications/genuine-hmrc-contact-and-recognising-phishing-emails/genuine-hmrc-contact-and-recognising-phishing-emails