Social engineering is about exploiting your emotions. Scammers and con artists identify psychological weaknesses and work them in order to get the information they need to take what they want from you. It’s why so many phishing scams play on greed or curiosity. It’s also why they play on fear.
Scammers pose as HMRC for this reason. Scams either promising a tax rebate or threatening legal action over unpaid taxes have become very common in recent months. The second approach, preying on people’s fears, has been particularly successful, and the scams are getting increasingly sophisticated and believable.
They also particularly target vulnerable people, taking advantage of their ignorance of HMRC’s practices. Angela Foyle, partner at BDO, explains two cases that she had heard about first-hand; a nursing assistant on a low wage, and a colleague at her accountancy firm. Both were working in the UK on a Visa; the scammers made them feel that they could lose their right to work in the UK if they did not comply.
Her colleague was able to work out that it was a scam, but she doubted herself before she hung up. The nursing assistant, however, was not so lucky. She was told to pay £2,500 by 3pm that day. She panicked and used her life savings – and some borrowed money – to pay it. When she realised it was actually a scam, it was too late.
“The very words HMRC put the fear of God into people as the tax system is so complex,” says Foyle. “People have in their mind that, if you make an innocent mistake, they're going to come down on you and like a ton of bricks. This is not actually the case – HMRC have established practices. In most cases, you’d have to pay the tax, and you may have to pay interest, but that's as far as it goes.”
People give away a lot of information on calls; we often make snap judgments on whether to trust someone. Scammers are aware of this, and put a lot of effort into presenting themselves to engender trust.
“They're very good at social engineering,” says Foyle. “So you may not have realised that you may have given that information somewhere at the beginning of the conversation.”
A lot of the general public are unfamiliar with how HMRC actually operates and communicates, says Sophie Wales, ICAEW’s Head of Ethics. “Fraudsters can be quite convincing in either creating an email that looks like it's an official one, or by presenting a professional front on the phone.”
ICAEW members are unlikely to fall for this, but their clients and colleagues are. If clients receive anything that claims to be from HMRC, they should be talking to their accountants first.
Scammers particularly target self-assessment taxpayers around the self-assessment deadline, ramping up their activity in line with the actual HMRC. The Covid pandemic has also led to new opportunities for fraudsters. The scams break down into several common types. Some of which relate to government support measures; one common scam involves an email telling the recipient that they can claim for ‘the third grant’.
Text messages offering COVID relief grants are common as well. Where HMRC has genuinely contacted taxpayers about SEISS grants, they have done so via a letter informing them that they will receive a phone call within 10 working days. ICAEW has published full details of HMRC’s procedures for reference.
Scammers often ‘spoof’ phone numbers and email addresses to make it look like they are coming from legitimate HMRC numbers or emails. A list of common scams can be found here.
Scammers do also try to get into an agent’s online services account. ICAEW is warning individuals and accountants to ensure that login details are really secure and that passwords are changed regularly.
“If someone manages to hack into an agent services account, they can potentially change the bank account details for all your clients, generate tax refunds and have that money paid to them,” says Wales. “Make sure you keep account access secure because if someone got into it, they can cause havoc.”
Gov.uk offers a checklist on how to spot scam phone calls, messages and mails claiming to be from HMRC. At a top line level, the issues are if it is:
- is unexpected
- offers a refund, tax rebate or grant
- asks for personal information like bank details
- is threatening
- tells you to transfer money
HMRC is also sending out letters to some self-assessment taxpayers to verify that repayment claims aren’t fraudulent. More details can be found here.
For practical advice, members can visit ICAEW’s Fraud Advisory Helpline webpage