Researchers Warn About a New SMS Phishing Scam That Uses HMRC to Extract Sensitive Information

Have you received a text message claiming that you are eligible for a tax refund or rebate? If you also live in the United Kingdom, the chances are that you have been hit with a clever HMRC scam. Hopefully, you know that HMRC does not send SMS messages about refunds, and you also can tell the signs of a phishing SMS scam. If you have been duped already, let’s discuss how this scam works and what you can do to protect your privacy. We also present tips that, hopefully, will help you identify scams in the future. As always, we encourage you to use the comments section should you have any questions.

Do NOT trust text messages sent by HMRC

The scam we are discussing today was first reported back in June by Harry Brennan at Griffin Law. It was revealed that it was targeted at the self-employed Brits who were looking for financial aid during the COVID-19 pandemic. The United Kingdom is currently in its second lockdown this year, and so the HMRC scam is likely to reemerge. It might be the same, but it also might take on a different face. That said, if you are able to recognize one version, you should be able to recognize the rest of them too. The SMS message that was sent around in June presented this message: “(HMRC) Records indicate that you have a pending tax rebate. Follow the below link to calculate your claim: [link].”

As we have mentioned already, HMRC does not send SMS messages about tax refunds, and so this is a sign of a phishing SMS. Here is what the government has to say about text messages:

HMRC will never ask for personal or financial information when we send text messages. Do not reply if you get a text message claiming to be from HMRC offering you a tax refund in exchange for personal or financial details. Do not open any links in the message. Send any phishing text messages to 60599 (network charges apply) or email phishing@hmrc.gov.uk then delete it.

The government is also warning about other Coronavirus specific scams that are primarily delivered using text messages. One of them is known as the ‘Goodwill payment’ SMS scam, which claims that recipients of the message are eligible for a “goodwill payment.” The second one is known as the ‘£250 fine’ scam, which goes the opposite way and claims that recipients of the message will be fined if they leave their home. All of these scams are set up to make targets click links and call the provided numbers, and that is the case with the HMRC scam as well. The link that is included in the message might seem legitimate, but if you click it, you are routed to a fake version of the gov.uk website.

If you do not recognize signs of a phishing SMS, you might end up clicking through a fake refund form and disclosing such sensitive information as your full name, home address, payment card name, number, expiry date, and security code, and also the number and the sort code of your account. Needless to say, this HMRC scam was specifically designed to extract sensitive information, and while the example we have analyzed did not ask the target to log into their HMRC online account, a different version of the same scam could try to trick you into disclosing your password. Using the data that you disclose, schemers could impersonate you, apply for legitimate tax refunds or financial aid, and steal your money.

5 signs of a phishing SMS scam

There are several things you need to ask yourself if you want to catch the HMRC scam in time.

1. Why did HMRC send you an SMS message? If this message refers to a tax refund/rebate or asks for personal information, it was NOT sent by HMRC.
2. Is the link included in the message legitimate? Most likely, it is not, but if the URL does not match the website’s layout, you can be sure that the website is malicious. In the HMRC scam, for example, victims are redirected to a mockup of gov.uk, but the URL is entirely different.
3. Are you eligible for a refund? As you now know, you must not expect refund-related information to be relayed through SMS messages, but if you think that you are eligible for a tax refund, exit the message, and use your browser to go to www.gov.uk/claim-tax-refund directly.
4. Is the message related to the Coronavirus/COVID-19 pandemic? If it is, keep in mind that COVID-19 scams are on the rise. Due to this, you have to be on high alert with every email, direct message, text message, or phone call you receive about the pandemic.
5. Is someone trying to steal information? That is the question you always want to ask yourself whenever you receive a message asking to fill out a form or log into an account. It is always best to visit the form or account directly via your browser, not via a link presented via a strange text.

If you have been tricked into disclosing sensitive information by this clever HMRC scam, the first thing you want to do is report the scam, and you now know that you can forward it via text to 60599 or via email to phishing@hmrc.gov.uk. Do not skip this step because that might save someone else. Second, you want to do whatever it takes to protect the information you disclosed. If you disclosed your payment card or online banking data, call your local bank branch immediately. They will advise you on how to secure your accounts and money.

If you have been tricked into disclosing private information, watch out for scams that might be personalized. And if you have disclosed login information, change your password ASAP. If you want to take an extra step of securing your password, go ahead and install the trial version of Cyclonis Password Manager. Using this tool, you will be able to replace the vulnerable password with a stronger alternative, and you will also be able to store the password in a secure vault, which no one but you will be able to get into.