HMRC scam letters and emails: a cybersecurity guide for accountants

As our reliance on digital technology grows, so does the risk of falling victim to cyber attacks. Recent years have seen a huge spike in online fraud, with criminals in the UK stealing north of half a billion pounds during the first half of last year alone. Phishing attacks represent one of the biggest risks, accounting for 91% of all cybercrime. 

Among the many phishing tactics employed by fraudsters, sending fake HMRC emails and letters is one of the most important ones for accountants to understand. In this article, we’ll explain everything you need to know about this dangerous trend so that you can protect your accounting business and clients from harm.

What are HMRC scam emails?

HMRC scam emails are carefully designed to mimic the look and tone of official correspondence from the UK tax authorities, with convincing logos, email addresses, and legal jargon. The goal is to steal the recipient’s personal information or money. There are several ways HMRC scam emails can achieve this, including: 

• Requesting payment for unpaid taxes or fines
• Offering tax refunds in exchange for sensitive information
• Demanding personal details to “update” records

These emails are particularly effective because people are keen to keep in line with HMRC’s requests, for fear of missing deadlines, receiving fines, or even being prosecuted. What’s more, the tax system is known for being complex and hard to grasp, so people are less likely to question dubious requests. 

What kind of emails does HMRC send?

HMRC communicates with taxpayers via a range of official channels, including email. By understanding the type of correspondence you can expect to receive from the UK tax authorities, you can better spot suspicious incidents. Here are some of the emails you can expect to receive from HMRC:

Tax return notifications

If you are registered with HMRC for self-assessment purposes, you may receive email notifications reminding you to complete your tax return. Once you’ve completed your tax return, you may also receive confirmation emails. 

Payment reminders

If you have an outstanding payment due for your self-assessment tax return, student loan, or a penalty, you can expect an official reminder by email.

Payment confirmations

Upon making a payment to HMRC towards your tax bill or a penalty, you can expect to receive official communications confirming that payment has been received.

Key account changes

HMRC will contact you about other key actions or changes relating to your account. For example, you can expect an email to confirm that you have signed up for self-assessment or changed your tax code.

Tax avoidance warnings

If HMRC suspects you may be involved in a tax avoidance scheme, they may send you an email alerting you and explaining the steps you need to take and the risks involved in tax avoidance.

These are just some examples of the type of emails HMRC may send. You can find more examples on this HMRC webpage. In reality, however, there’s no definitive list of official communications, so it’s important to be able to identify fraudulent emails yourself. 

How do I know if a message from HMRC is genuine?

The reason so many people are tricked by fraudulent emails and letters is that they don’t know how to differentiate the real from the fake. In this section, we’ll highlight some telltale signs of scam emails. 

Relevance and timeliness

Generally speaking, HMRC will contact you in relation to an action you have taken or need to take, so the communication should be highly relevant. For example, if you are registered for self-assessment, you’ll receive communications when it’s time to file your tax return, or once you’ve done so. If you fail to file your tax return by the deadline, you can expect an official response. 

Be wary of any communication that comes out of the blue, or any emails relating to matters that don’t seem relevant to your situation. If a letter says you owe a penalty to HMRC for late filing of your tax return, but you aren’t registered for self-assessment, it’s clearly suspicious.

Urgent or threatening language

Another major red flag is when a letter or email uses threatening language to persuade the recipient to “act now — or else!” This is a classic tactic used by fraudsters to essentially scare recipients into handing over their details or sending money to avoid threats of legal action or fines.

While HMRC may be forced to send you warnings for things like late payment, they won’t threaten legal action during the first communication. So if you find yourself receiving a threatening warning for something you were unaware of, please be cautious.

Requests for sensitive information

Scammers want you to hand over sensitive financial or personal information that they can use to assume your identity or access your accounts. HMRC will never directly ask you for information such as passwords, PINs, or bank account details via email — so beware of any communications that do.

Requests for payment

While HMRC may inform you about an upcoming or late payment that you are required to make, they will generally prompt you to log in to your online account via the official government portal to make any payments. If you receive an email asking you to send money to a particular account, it’s very likely a scam.

Suspicious email addresses, language, or links

If you suspect that you’ve received a scam email, take some time to look at the sender’s email address. Often, scammers use “spoofed” email addresses that look like official ones but have difficult-to-spot changes. For example, rather than noreply@tax.service.gov.uk, the address might read reply@tax.servise.gov.uk. Spot the differences?

Also, beware of any email that:

• Has obvious spelling mistakes or grammatical errors
• Asks you to reply directly to the recipient’s address
• Uses unprofessional or informal language
• Includes unconventional formatting
• Has clickable links

HMRC scam email reporting — how to flag suspicious emails

If you think you’ve received a fraudulent email from someone impersonating HMRC, there are several steps you can take to protect yourself and others.

1. Don’t respond, click any links, or download any attachments
2. Forward the suspicious email to report@phishing.gov.uk — it will then be investigated by the National Cyber Security Centre (NCSC)
3. Delete the email to avoid any accidental interaction with it — if you want to keep a record of it, you can take a screenshot
4. If you think you’ve been the victim of fraud, you can contact Action Fraud, the UK’s national reporting centre for fraud and cybercrime
5. Inform your IT department and colleagues
6. Educate your clients about the risk

How phishing accounting scams affect professionals and firms

Falling prey to a phishing scam can be hugely damaging to your accounting practice, not only in terms of potential financial losses but also in terms of reputational damage and a loss of client trust. In this section, we’ll explore how phishing scams can impact your business.

Financial loss

By divulging sensitive information, scammers may gain access to your bank accounts, steal funds, or divert client payments. Other scams involve tricking the recipient into sending money directly to a fraudulent account. Either way, you take a financial hit. 

Data breaches

Scammers aren’t always after money directly. Sometimes they may want to steal your firm or client data and then sell it on the dark web, or engage in other forms of identity theft and financial fraud. As a result of such a breach, your firm may face hefty fines for failing to protect your clients’ data. 

Further reading: to learn more about keeping your clients’ data safe, check out this article: Data security for tax and accounting: 5-step plan to securing client data.

Reputational damage 

Trust is everything in accounting. If your firm becomes the victim of a phishing scam, that strong reputation you’ve worked so hard to nurture could be shattered overnight, resulting in a loss of clients. The cost of reputational damage is hard to quantify and extremely difficult to recover from.

Operational disruption

Accounting firms are busy enough as it is without dealing with unexpected emergencies. Phishing attacks can completely disrupt your day-to-day operations, meaning that you have to divert your resources away from your clients while the problem is contained and resolved. 

Legal consequences 

Clients whose data is breached may seek legal action against your firm, leading to costly legal battles and potential settlements. At the same time, your firm may be in the crosshairs of regulators, who may dish out hefty fines for non-compliance.

Mental and emotional impact

Last but not least, it’s important to understand the mental and emotional damage that a phishing attack can cause. For accountants, this can be a hugely difficult experience that undermines confidence and causes stress. For clients, data breaches can also cause huge amounts of anxiety.

How to protect your accounting firm and clients from phishing attacks

Here are some cybersecurity best practices you can implement to avoid phishing scams and the financial, reputational, and emotional damage that comes with them. 

1. Conduct rigorous employee training

When it comes to avoiding fraudulent emails, education is your first and best line of defence. Conduct thorough training sessions that help your staff identify scam emails and understand the risks involved. We recommend making this training an essential step in your onboarding process and reviewing it every year.

2. Increase email security measures

In addition to regular internet security and antivirus software, you can implement specialist tools for spotting phishing attacks, malicious links, and malware. This provides you with an extra layer of security should one of your staff fail to spot the telltale signs of a phishing scam.

3. Educate your clients about the risks

Your clients also play a role in keeping their data safe. Be sure to update them on the latest phishing threats. Because scammers may attempt to impersonate your accounting firm to access client information, explain best practices you will use in your communications to help them spot genuine emails from fraudulent ones.

4. Build a robust incident response plan

If someone in your firm falls victim to a phishing attack, you need a robust plan in place to mitigate the damage caused. Create a comprehensive incident response plan that details the steps you will take, the people responsible, and the goals and outcomes. You can then test-run the plan with regular drills to ensure everyone understands the procedure.

5. Leverage the best technology

While phishing attacks are largely caused by human error, there are some technology choices you can make to mitigate the risk of being a target. 

With TaxDome, for example, clients can manage all of their touch points with your firm — from sending messages to accountants to scanning, e-signing, and sending documents — on one secure client portal, available either on desktop or via our award-winning client mobile app. With less reliance on email, there’s less risk of phishing scams, while two-factor and biometric authentication ensure that only the right people have access.

So if you’d like to reduce the risk of phishing attacks while increasing efficiency and providing an incredible client experience, give TaxDome a try. Request a demo today and see for yourself!