Save content
Have you found this content useful? Use the button above to save it to your profile.
iStockphoto/Thinkstock

Return of the phantom filers

by
6th Feb 2014
Save content
Have you found this content useful? Use the button above to save it to your profile.

Reports are coming through of a return of the highly lucrative bogus tax refund scam.

The ICAEW Tax Faculty reported this week that some of its members had seen a recurrence of scammers using purloined agent login details and passwords to submit self assessment returns with relatively low income levels and claiming refunds just under £3,000.

While self assessment season this year ran reasonably smoothly for many AccountingWEB members, there were multiple reports of increasingly sophisticated phishing attempts during the past three months:

Because their online account details open the door to a source of government cash, accountants are prime targets for criminals at this time of year. HMRC devoted considerable time and attention this tax season to publicising the potential threats (including multiple examples of bogus refund notification emails) and educating tax advisers on good online security precautions.

An unfortunate side effect of the crackdown will be delays for genuine refunds. As Cheapaccounting.co.uk’s Elaine Clarke reported this time last year.  If there is no indication in the taxpayer’s records that a refund is likely, the payment can get “inhibited” and referred to the Repayments Security Office in Bristol for further checks. CIS refunds were particularly badly affected last year.

There is no way to contact the office to check or chase payments, but advisers can see if their clients’ refunds have been referred by looking at the client statement and seeing if there is an indication that the payment has been created. If this is not the case, it has probably been referred for a check, according to AccountingWEB member Shirley Martin.

HMRC Online security precautions

While HMRC does send a number of different emails and alerts to businesses and advisers, it never sends notifications of a tax rebate, or asks taxpayers to disclose personal or payment information via email.

The department’s security pages advise: “If you have any doubt that an email you receive from HMRC is genuine please do not follow any links, disclose any personal details or respond to it. Please forward it to HMRC at [email protected] then delete it.”

Responding to the bogus submission acknowledgements in mid-January, AccountingWEB member RJandCo backed HMRC's advice for other practitioners: “HMRC never ever contact taxpayers direct by email for anything.  Where would they have your email address from?  There is nothing on any self assessment registration form that asks for an email address. There is no box on a tax return which asks for an email address.

“I always tell all clients that anything via email from HMRC is ALWAYS going to be a scam, so just delete without opening attachments.   It’s pretty obvious anyway that it’s a scam, usually from the fact that these emails never quote a client name or UTR.”

Replies (14)

Please login or register to join the discussion.

Euan's picture
By Euan MacLennan
06th Feb 2014 13:05

Not correct

The link to emails and alerts takes you to the HMRC Genuine HMRC Contacts page on which it states that Educational emails "will appear in your address bar as [email protected]".

So why have I and presumably many other agents received an e-mail today from [email protected], which is clearly an educational email with the tortuous subject "RTI-Making final submissions for the 2013-14 tax year [87] [Protective Marking: UNCLASSIFIED]"?  The main clue that it is not spam is that the attachment is a .doc, rather than a .zip, file with the zappy name "140205 - At a Glance V1 0 (4).doc.

Thanks (3)
Replying to ireallyshouldknowthisbut:
avatar
By jonbryce
07th Feb 2014 12:08

Re: Not correct

All the viruses I get that claim to come from HMRC also have "[email protected]" in the address bar.  I had about 20 of them yesterday.  The virus scanner had deleted the virus and replaced it with a note inside the .zip file saying it had been removed.

The problem is that HMRC have not published an "SPF record" for the hmrc.gov.uk domain, so spam filters have no way of knowing whether the email came from a genuine HMRC email server or not.  That is something they should do as a matter of urgency.  It will take them about half an hour to change the DNS record if they have to read up how to do it, or a few seconds if they know what they are doing.

Thanks (0)
Replying to Tim Vane:
avatar
By daveforbes
07th Feb 2014 13:24

@jonbryce

jonbryce wrote:

or a few seconds if they know what they are doing.

I suspect they have a myriad of smtp servers. Producing and then maintaining the list would be challenge enough and then there would be the 256 character limit on SPF records and the 10 dns lookups.

Yes, they should rationalise all their various email systems but that would be time consuming and costly and therefore unlikely in times of austerity.

Also, realistically, how effective is it ? paypal.com has an SPF record - so scammers just use domain that is similar enough to fool the unwary.

Thanks (0)
avatar
By CatherineR5
06th Feb 2014 13:05

Missing authorisation code

I have had an HMRC agent authorisation code go missing - I wonder whether it's been intercepted by someone incorrectly identifying it as potentially a login/password reminder in advance of self-assessment?

Of course my client might just have lost it/not opened it/fed it to the dog...

Thanks (0)
Replying to Ruddles:
Euan's picture
By Euan MacLennan
06th Feb 2014 13:23

Wrong address?

CatherineR5 wrote:

Of course my client might just have lost it/not opened it/fed it to the dog...

... or not informed HMRC of his change of address.

Thanks (0)
Replying to spilly:
avatar
By CatherineR5
06th Feb 2014 14:42

No...

Client has not moved. And I've checked that.

Thanks (0)
avatar
By The Tax Factory Ltd
06th Feb 2014 13:34

Sorry to hijack this thread but we have just received the email referred to by Euan.  However it leaves two questions unanswered:-

 

1)  it states that you should "just answer a few extra questions" when you make your final submission.  It suggests that the final submission will be the final FPS and makes no mention of an EPS.  But what if you do an EPS (to show CIS Deductions) after the final FPS.  Which is the final submission, the FPS or the EPS?

 

2)  as the questions have to be answered when the final submission is made "you may wish to make sure you have the answers to the questions ready in time".  What are the questions??  Are they exactly the same as the questions on last year's P35 or have there been any changes?

 

Also, the link to HMRC's website "for further guidance on your PAYE final submission and end of year tasks" appears to be broken!

 

Any useful thoughts / comments?

Thanks (0)
By [email protected]
06th Feb 2014 13:51

Employers Employers Annual Return

Below is text of e-mail received earlier suppose to be  from HMRC.......clearly this is a SCAM and those Accounts who receive them should NOT attempt to open & respond to this.

 

I am forwarding the same to HMRC for their action.

Regards

 

Subhash Sampat

PINNER Middlesex

 

 

Employer Annual Return

Employers must file their Employer Annual Return (P35 and P14s) for 2013-14 online to reach us by 29 February 2014. We strongly recommend that you file your return online, as soon as it is ready.
Don’t forget, Extra Statutory Concession B46 came to an end in 2011 so the period of grace no longer applies. To avoid penalties, file your Employer Annual Return (P35 and P14s) online and file as soon as you can before 19 May 2013.

Please complete all relevant sections of the attached application form and attach the appropriate documents.

Reply to this email as this mailbox is monitored for incoming mail.

Thanks (1)
avatar
By gary.ging
06th Feb 2014 14:27

FAO The Tax Factory...

The final submission can be either a FPS or an EPS, depending on your circumstances, so if you do need to complete an EPS after the final FPS of the year then you should include the answers to the end of year declarations in that submission.

The declarations are essentially the same as the old P35 declarations:

http://www.hmrc.gov.uk/payerti/reporting/what-to-report.htm#9

Regards

Gary

Sage (UK) Ltd.

Thanks (1)
John Stokdyk, AccountingWEB head of insight
By John Stokdyk
06th Feb 2014 14:37

Unimpressed with Learning Together effort

Thanks @Euan and @The Tax Factory for sharing your latest missive. It seems to show one part of HMRC not really being up to speed with what's happening elsewhere.

It's apparent that the security boffins have put considerable time and energy into educating the marketplace about best practices - yet the same message hasn't reached their own colleagues. Including any kind of attachment in such a message goes against all the "never open any suspect attachment" advice people have been giving out for years - is it really that difficult to cut and paste the contents into the email message?

Tax Factory, you might get a better response to your EPS queries on the Any Answers page, where I suspect other members may share some of your frustrations. 

Thanks too @Subhash for sharing the Employer Annual Return phishing message - that hasn't made it to HMRC's list of examples yet, but as you point out, it's not one of the scammers' more sophisticated efforts. Thanks to RTI, end of year returns are a thing of the past and I'm partcularly perplexed about the 29 Feb 2014 deadline.

I can forgive the crooks for not being up to speed with HMRC procedures, but surely they know when leap years are supposed to happen?

Thanks (1)
avatar
By ferncottage
06th Feb 2014 16:02

P35

I have had 3 e mails today. One stating Year End 2013-14 File by 29 February,with a comment about 19 may 2013. Obviously a SCAM.

The 2 the same which appear genuine from HMRC about filing by 20 April if no payments made in March 2014.

 

No wonder we are all getting mystified.

 

I take the view that "Refunds" are usually a SCam.

VAT could be a dodgy one, so I read thenbin if it looks wrong.

Hope this helps.

Perhaps HMRC should use a specific coding aligned to peoples UTR or Companies REg no or Reg Vat No. It would help us ensure it was a genuine E mail.

Richard P

Thanks (0)
Replying to johnjenkins:
avatar
By daveforbes
07th Feb 2014 10:28

It is a numbers game

Winter Soltice wrote:

Unless I am actually expecting an email, such as confirmation of a return I filed 30 seconds ago....

Millions are sent hoping one will land in your inbox just after you have filed a return, bought something on paypal or are expecting a delivery etc.

A mandatory charge of 0.1p per email would sort a lot of scam and junk.

 

Thanks (0)
avatar
By spurs1952
07th Feb 2014 08:23

Let's be careful out there.

The real giveaway is them signing the email Sunglassses Ron & Paddy the Greek.

Thanks (2)
avatar
By carnmores
07th Feb 2014 17:28

concerted government action is reuired

to stop these spammers , thieves and data  corrupters , put GCHQ to something that will benefit everybody

Thanks (1)