Skip to main content

Make sure you don't fall for this crafty HMRC tax refund scam

Fraud
(Image credit: Shutterstock / Sapann Design)
Audio player loading…

A dangerous new SMS phishing scam is doing the rounds, this time targeting anyone that had to file a tax return (opens in new tab) for the 2019/2020 financial year.

The UK tax year finished on April 5 2020, but the window to file a return didn’t close until roughly two weeks ago, on January 31 2021.

According to researchers from security company Sophos, cybercriminals are leveraging this recent deadline as part of a new scam that promises its victims a handsome refund.

“A tax rebate of [£X] has been issued to you for an overpayment in year 2019/2020,” the scam message states, before asking the person to click on a link that carries them to a malicious web domain (opens in new tab).

Here, the victim is encouraged to provide various forms of personally identifiable information (PII) and financial credentials that could be used to perpetrate identity fraud (opens in new tab).

HMRC phishing scam

The fake domain is a close imitation of the official UK government website. Unlike many other phishing scams, which are betrayed by sloppy design or grammatical errors, the scammers have gone to considerable lengths to build a convincing fake.

“We have to admit that the crooks pulled off a surprisingly believable sequence of web pages,” wrote Sophos researchers in a blog post (opens in new tab). “Not perfect, but visually believable nevertheless.”

“Their pages look similar to the pages you’d see on a genuine UK government site; they’ve included niceties such as a coronavirus warning in order to add a touch of timely realism [and] they’ve mostly used the right sort of terminology.”

HMRC tax scam

(Image credit: Sophos)

Once victims have landed on the domain, they are asked to hand over various personal details in order to secure the fake tax refund. These details include name, date of birth, address, phone number, National Insurance number and mother’s maiden name, all of which could be used to break into other online accounts.

The hackers then ask for bank details and credit card credentials, supposedly in order to process the refund, before delivering the person to a dummy confirmation page and redirecting to the genuine HMRC website.

While the scam is highly convincing, there are a handful of tell-tale signs that should raise alarm bells for anyone that receives the text message.

First, the initial SMS is sent from a standard UK mobile number, which would not be the case for a genuine communication from HRMC. Second, the web domain does not align with the URL of the real HMRC website.

According to Sophos, the best way to protect against attacks of this kind are to navigate to the relevant website manually as opposed to following a link received via text or email (opens in new tab), to scour messages for errors and to lean on an antivirus (opens in new tab) service with web-filtering capabilities.

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.