Bit of a strange one this and would love some feedback please.
A new client (subby) came to me last week clutching a repayment notice showing a large refund for 2013/14 paid to a nominee that he has never heard of.
He filed his own return in August via his own gateway log in an received his tax refund but this latest refund is on top of the old one. His password no longer works to log in.
I applied for online authorisation and today it appeared on our hmrc clients list and an amendment to the return was made on 5/2 and the refund issued on 14/2.
I can see the bank details of where the refund has been issued to.
It seems clear to me that someone has got hold of his log in details and defrauded hmrc out of this money. I called hmrc today but the agent authorisation hasn't filtered through yet even though its on my online clients list.
My concern is that hmrc will amend the return back to how it was and my client will be liable for the money!!
Has anyone encountered anything similar or got any thoughts?
cheers
Replies (6)
Please login or register to join the discussion.
IT expert
At least your client has got the refund he was properly due to.
I've not come across this but, if your worst fears prove to be founded, it may be necessary to get some IT expert to review security to see how the client's account has been hacked.
And - definitely - treat it as theft and report it to the peelers.
Before doing anything else check with the client if those bank details mean anything to him. If you have a sort code you should at least be able to identify the bank & possibly the location of the branch (although some banks have non-geographical branches).
Could it be the client's domestic partner or a family member who has done this? Or a previous accountant?
The client may not want the police involved (although you may be obliged to make a report under MLR 2007 / s330 PoCA 2002).
If it is a case of some unconnected hacker then I suspect HMRC will be sympathetic. Has the client recently had an email from HMRC requesting him to login to the system? In other words has he been duped by a bogus email?
David
Report it to HMRC pronto
I suggest you report it to HMRC pronto in that case (but with the client's agreement obviously). Also do a brief Suspicious Activity Report (referring to it having already been reported to HMRC).
I don't think you need bother the local police with it. HMRC have their own investigators & can prosecute if it comes to that.
Log it with Action Fraud or suggest the client does that.
David
In case you haven't already got the full information this link will enable you to identify the bank and branch address I suggest you also write to it's Head Office and the branch with the problem