Lost Inland Revenue password

Lost Inland Revenue password

Didn't find your answer?

This afternoon, my husband (co-director ) tried to logged in the Inland Revenue website. We have been using same user ID and password since 2004. This afternoon it did not work.

Why? We telephone the helpline and we were told that we changed our password on the 3 August at 22:07 hour. The last successfull logg in was at 5 am this morning 4th August. We are very sure that we did not change our password and we did not logged in at 5am this morning as we were still in bed at that time. The helpline was insisting that we did.

We tried to get anew password online but we kept getting an error message saying that "We are unable to identify you.................."

The helpdesk offered to send us a new password by post and it may arrive within 7 working days. In the meantime, we can use the online system. There are only 2 practisioners in this company and nobody knows our user ID and password. I am a little scared. I am interested to know if anyone had the same or similar problem. Thank you.

Replies (16)

Please login or register to join the discussion.

avatar
By mikewhit
05th Aug 2009 08:31

Just in case
I suggest you download a 'standalone' virus checker on another PC (there may be links elsewhere on AccountingWeb - sorry haven't got opportunity just now to detail this) and then run it on your work system, until it is given a clean bill of health do not use that system for any other 'important' work, such a online banking.

Of course it's possible there is a cockup at HMRC, after all we had a penalty notice for non-submission of a SATR when it had gone in online mid-Jan - but it's best to be careful.

Thanks (0)
avatar
By rosataylor
05th Aug 2009 10:30

Inland Revenue password stolen
thanks for replying.

We just had a call from the Revenue security. There is a highjacker and the police are involve.
The highjackers are stealing your user name and password, change password and create a tax return on any client and claim repayment. these are diverted to Barclays bank.

I dont know what to say I am still shaking. We have been highjacked. I feel like I am robbed.

Thanks (0)
avatar
By pawncob
05th Aug 2009 18:57

WILL EVERYONE
Who has read this , please run, AVG/Spybot (or even the commercial stuff) NOW.
Remember, they are not alone.

Thanks (0)
avatar
By rosataylor
05th Aug 2009 20:16

security
We have all the security. They disable them all.
The police are now involve according to the Revenue.

Thanks (0)
David Winch
By David Winch
05th Aug 2009 21:23

HMRC have made this public
See The BBC report at

http://news.bbc.co.uk/1/hi/business/8186509.stm

Being 'hit' by crime can be very upsetting - but remember it's not personal.

Do think around some security issues - like using a cross-cut shredder to dispose of password notifications, computer security in relation to physical security / prevention of loss of pen drives, disposable disks, laptops, etc.

It is entirely possible however that the problem is outside your office (e.g. interception of mail on its way to you).

Changing passwords from time to time is good practice.

To create an impenetrable but relatively easy to use password think of a memorable phrase like "John Prescott had 2 Jaguars and never walked anywhere" and 'abbreviate' it to "JPh2J&nwa". No-one is going to guess that password in a hurry!

David

Thanks (0)
avatar
By rosataylor
05th Aug 2009 22:21

HMRC have made this public
HMRC is in fact phoning most agents regarding this matter. They are alerting everyone.

Why does it feels like it is our fault to get highjacked? Everyone seems to blame our security?

HMRC are dong thier investigation but what they are not doing is to come up with prevention.

Why not give all registered agent a security devise like those key pads that the banks provides their customers?

Thanks (0)
avatar
By User deleted
06th Aug 2009 12:49

How is it done?
You need a UTR to match a name to submit a return. you also need some details at least to match those held by HMRC, P60 for instance, otherwise they'll repair the return. If its a case of submitted spurious self employed accounts you need tax in charge to be refunded. sounds like they must have a reasonable amount of information about the individual records to be able to get any refund.
If nothing else a salutory reminder to make sure, as David has said above, that all confidential waste is properly disposed of.

Add to that every refund i'm claiming at the moment that exceeds £1000 appears to be sent to Bristol for a sabbatical, and others are being retained and sent against 2009/10 POA if you don't mind, what happened to the requirement for the charge to fall due in the next 30 days before set off, and its a wonder the criminal gangs think its worth the bother.

Thanks (0)
avatar
By jordil
06th Aug 2009 13:37

How is it done?
They can access the client list as if they are the agent. So they only need to try and guess the self-employed
clients and of course they can see which ones have made payments on account.
They also look for any clients with credit balances and ask for it to be repaid to their own account.

Thanks (0)
avatar
By User deleted
06th Aug 2009 14:06

how is it done?
But that also assumes a reasonable level of expertise in completing a return, a bank account that matches a name but presumably is bogusly set up and funded with losts of HMRC credits, bogus firm perhaps?. How do you guess the self employed from the website access, all it tells you is tax due/paid, copy returns aren't there. I suppose you could trawl through them all and reduce payments on account that have already been made. Sounds a lot of work and a lot of risk for not necessarily a lot of money, tho i suppose if you specialise nearly evey client could be self employed. Presumably since this is now on the BBC, there has been more than the one incident mentioned above.
Just thinking aloud (sort of) i suppose

Thanks (0)
avatar
By pauljohnston
07th Aug 2009 13:09

payments
I find it worrying that for us to be appointed as agents for a client a 64-8 needs to be signed or a client has to give us a code if we do it on line BUT if a refund is being made there no check.

A way around this for HM Revenue & Customs is issue a letter stating that a refund request has been received by a client. If the agent is happy that he or the client issued such a request then the authorisation number at the foot of the letter should be put into a website. AS I see it changes of address for agents have to be done by signed letter and this is a manual process. So just an acknowlegement to old and new address when the change is made should cover this area

Thanks (0)
avatar
By geoffwolf
07th Aug 2009 13:48

If they have your agent details
they are probably into your computer and can look at the tax system for year previous to decide what may need to be put on return to obtain a refund

Thanks (0)
avatar
By rosataylor
07th Aug 2009 17:52

Hows is it done?
You are right. The Revenue told us the same theory.
They said they are high profile. We asked them if they have looked at the well known theory of an inside job?
We are now back in but we have not looked closely if any of our clients have been tampered into.
We were out of action with the Revenue for a week. plenty to do.

Thanks (0)
avatar
By clark jenner
10th Aug 2009 12:26

Cliff Jenner
We took a client over to whom the same thing happened, the book-keeper from whom we took over said that this had happened to several of her clients.

On talking to my friends about this, they suggested that she had answered one of the phishing emails that are doing the rounds.

One thing that is bugging me is that although HMRC readily accept that my clients are innocent of any complicity, they refuse to issue a new UTR. Neither will they take down the obviously spurious return (it is a 2009 return) from the website and off their records altogether.

This is preventing us from filing the return (and there may well be a real repayment due) until they do this.

All of this is very frustrating.

Given that all agents are registered online; would it not be a good idea for HMRC to send an email to all registered agents warning them of what is going on?

Thanks (0)
avatar
By mikewhit
13th Aug 2009 14:40

Specific email accounts
If you have control over your own email address domain (e.g. you have a company website www.mydomain.co.uk and have [email protected]) another security feature is to set up individual incoming email addresses specifically for e.g. HMRC and banks - obviously you never give out the wrong address to the wrong party.

Examples,
[email protected]
[email protected]

Being very careful, you could completely ignore any email directed at generic addresses such as 'sales@ ...' or 'info@ ...' and only receive those specific ones such as above.

That way, phishing attacks can easily be spotted since you will never receive an HMRC email on your banking email address, and vice versa.

Additionally if you do receive any spam on one of your 'official' email addresses, you can tell exactly from whom the spammer got the address - notify them that they are insecure, delete that now spammed address, and once they have cleaned themselves up, set to a new address for that service.

I haven't searched the AW site on this, but should there be an security 'best practice' checklist for small businesses ?

Thanks (1)
avatar
By User deleted
14th Aug 2009 21:52

Cliff Jenner
The Inland Revenue will wipe out all the frudulent tax return ( as I beleive ). Lets wait and see.
try phoning this number 0151 300 1575 This is Inland Revenue special number. It is also in their web site.

Thanks (0)
avatar
By User deleted
12th Jan 2010 01:24

'IR wiping out fraudulent Tax Return?'

I had a problem submitting the 2009 Return online and the error message implied a Return had been filed already. The upshot, after a lot of hot words all round, was that there was a fraudulent attempt at the client's account. IR did not wipe out the fraudulent Return. I as agent had to file an amended Return!! And this took 3 attempts before it went through!!HMRC blaming my commercial software, SAGE, and SAGE saying it's HMRC. IT was HMRC in the end. These fraudulent happenings certainly smells of an inside job!

Thanks (0)