/ Money

Listen to this HMRC scam voicemail

The news that HMRC is to crack down on ‘number-spoofing’ is timely – here’s a scam voicemail I received just last week. Have you been contacted?

HMRC’s helpline numbers often begin with 0300, so when I received a call from one last Thursday morning, it did make me look twice.

I’ve got a bit of a policy to not answer numbers I don’t recognise, though. After all, if they’re legitimate and it’s important, I rely on the caller to leave a voicemail. When it’s a cold call or a scam, that hardly ever happens.

But then a voicemail did arrive.

A tax fraud case registered in your name

The message implores you to press ‘1’ to ‘get connected to the officer of HMRC’. The message goes on to make the threat that if you’re not connected, a warrant will be issued under your name and you ‘will be arrested shortly’.

Listen to the voicemail:

That part was a little too close to parody for me and did make me laugh at its outlandishness.

But when I played it to my parents a few days later, they made a good point; ‘that could be scary for some people – less tech-savvy people could easily panic and think that was real’.

And it is a good point. In voicemail form, this particular scam might not represent much of a threat (pressing 1 while listening to your voicemails isn’t going to connect you to anyone).

But I’m now thinking of the psychological impact on someone who could easily think this was real – it’s an especially disturbing message to receive under the guise of an official government department.

‘Breakthrough’ controls to fight number-spoofing

Criminals have been able to fake calls from real HMRC numbers, meaning anyone Googling it to check on its authenticity may well be tricked into thinking the call was genuine.

Fortunately, HMRC is fighting back. New measures have been implemented in partnership with Ofcom and the telecoms industry in an attempt to put an end to number-spoofing.

The tax authority said it had already received 25% fewer scam reports than the previous month. Criminals will still turn to less credible numbers to attempt their scams, but eliminating the illegitimate use of official numbers will make them much easier to spot.

Gareth Shaw, Head of Which? Money said:

“For too long, fraud victims have lost life-changing sums of money to scammers they believed to be legitimate. Number spoofing can be incredibly hard to spot, so it is good to see HMRC, one of the most impersonated firms, taking action to stop fraudsters from exploiting their helpline number and identity.

A cross-sector approach is needed to tackle fraud, and it is now vital other public bodies and firms that are commonly impersonated follow this example and work with telecoms companies and Ofcom to stop fraudsters spoofing their numbers and targeting victims”

We’ve put together advice on how to spot HMRC phone scams, including voicemails that contain threatening language such as this one.

You can report these calls to Action Fraud on 0300 123 2040, or use its online reporting tool.

Have you received a call or voicemail from HMRC scammers? Do you think tactics like this could succeed in duping vulnerable people?

Comments

It’s not clear how phoning a legitimate number will connect with an illegitimate caller. Surely, the line connection only goes to one end point in the HMRC office. Fraudsters need to divert this call in some way to get the victim connected to them. If they can do this with HMRC numbers they could do the same with banks and siphon off current accounts without the caller knowing it is happening. Likewise any other financial call. Does this mean that our telephone system is now hackable and crooks can move calls around at random?

Thanks, George.

I think they are saying callers numbers are spoofed to look like the genuine numbers. Who on earth knows a genuine number of HMRC?

The 25% reduction is more likely to be anybody who is going to report it has already done so as the fraudsters go round again on their database of numbers.

I have had this call for months now, but when I have searched the caller, none of their numbers have come up as the genuine HMRC.

This is an interesting statement:
Fortunately, HMRC is fighting back. New measures have been implemented in partnership with Ofcom and the telecoms industry in an attempt to put an end up number-spoofing.

According to the link:
Thanks to HMRC’s new controls, scammers are no longer able to spoof the tax authority’s well-known 0300 helpline numbers.
They are still able to use fake numbers to conduct scams, but as these numbers can’t be the same as HMRC’s, the scams will be far less convincing.

I would love to know exactly how this works.

edited..

I see George has posted whilst I was typing!

It doesn’t exactly explain things. The fraudster must use his/her number to make the call since that’s what connects him/her to BT. When they have done that, they must have found a way to insert another number into the system so that the victim sees the altered number on his/her phone. Anyone could just say the number as they speak. Anyone could also write the legitimate address in an e. mail, but then would lose the victim if they replied. So how does one know whether the call is genuine if the number is correct? Naturally the victim is encouraged to give verbal details there and then, so there is no reply phone call needed. That is where one has to be careful and suspicious.

I am also trying to understand this Vynor.

https://www.bbc.co.uk/news/business-48475434
Part of the fraudsters’ tactics was to manipulate the caller number display to show HMRC’s actual phone numbers.
Now HMRC has put a block on these numbers, so they cannot be shown.

https://www.gov.uk/government/news/controls-prevent-phone-fraudsters-spoofing-hmrc
HMRC will continue to work with network providers to eradicate fraudulent numbers that are reported, and during the last 10 months has requested the removal of over 1,050 numbers from being used by scammers.

Some explanations here:
https://www.ukauthority.com/articles/hmrc-extends-anti-spoofing-work-from-email-and-sms-to-phone-numbers/
The tax agency has not detailed how the blocking works, but the controls – introduced with regulator Ofcom and the telecoms industry – follow similar anti-spoofing work covering email and text messaging.

https://www.ukauthority.com/articles/hmrc-takes-down-20-000-malicious-websites-in-a-year/
Dated 2016: https://www.ukauthority.com/articles/hmrc-cuts-phishing-emails-by-300-million-this-year/

HM Revenue & Customs (HMRC) has claimed to have cut the number of phishing emails attributed to its domain by 300 million through using the DMARC validation system.

I am curious to know why the controls only seem to be for specific numbers and why they can’t be applied to all valid numbers.

Why is number spoofing not made illegal?

Why can’t all unpaid-for numbers be stopped from traversing our networks as most fraudsters use numbers that seem to be from small communities with many spare phone numbers.

We’re extremely fortunate. Because of my beloved’s previous profession we have a protected, unlisted number and it seems to prevent us from ever getting a nuisance call, let alone a Spam call.

Can you protect and delist your number …how is this done.

Another example of why thumbs down should be abandoned. What is the point in giving it to Ian’s straightforward contribution without any explanation?

Kevin says:
4 June 2019

I believe one method of operating this scam is to phone the victim (using a recognised number or not), if there’s pushback from the victim, fraudster suggests that the victim replaces the phone and gets them to call a number ALREADY known to them for the organisation (tax, bank etc).

The fraudster’s call is never actually disconnected (this must be done from the caller end of the call), they then play back appropriate sound effects to fool the victim into thinking they’ve made a new call to the known number.

Fraudster then ‘answers’ the call, game over, victim is convinced they are talking to HMRC/bank.

“A cross-sector approach is needed to tackle fraud……“. So true. I wish as much campaigning effort went in to getting a properly resourced organisation established to diligently investigate and curb fraud, and develop preventitive measures, as goes into demanding compensation for all. We need to reduce crime, not ignore it and just repay the victims.

I 100% agree with you malcolm. Instead of paying millions and millions in compensation, why can’t they put the money to better use in tackling the reasons for compensation.

The banks are going to be paying out billions with criminals laughing all the way to the bank (‘scuse the bad pun)

That money would be put to much better use financing a task force to fight the fraudsters.

Big organisations including government are not interested. Fraudsters used my details from Companies house to duplicate cheques and a forged signature. Neither the bank HSBC nor Companies house would even enter into conversation.

I missed an 0300 call today.

An online search has not revealed anything about the caller, but the interesting thing is one of 3 similar ads
at the top of the search results:
Contact HMRC Tax Office Number | a telephone connection number
http: //tax-info-service.com/your-helper/hmrc
Contact HMRC Tax Office Customer service using a connection service

Do people really fall for this cr@p?

Call 0903 727….
Calls cost £3.60 per minute with a minimum charge of £3.60, plus your phone company’s access charge
This website and telephone connection service number is operated by A2B Telecom Ltd and is not affiliated with, or operated by, HMRC. A direct number can be obtained from HMRC’s website at no or lower cost by clicking here

Clicking here does take you to http://www.gov.uk but do people really use this service?

I had 2 phone calls yesterday both starting with 0300200. One ended 4686, the other 6311, the first one I missed but the second one was the threatening HMRC scam.

A search of 0300200 numbers reveals they are The main contact numbers you are likely to need for HMRC (and the on-line alternatives) are:………

Are the new measures to fight number-spoofing working?

In the header George wisely points out the psychological aspect and the effect this can have on the vulnerable, a tactic used by the scammer to shock and confuse in order to manipulate their victims into compliance.

But I’m now thinking of the psychological impact on someone who could easily think this was real – it’s an especially disturbing message to receive under the guise of an official government department.

The following website explains this impact and ways in which you can approach it when you receive unexpected shock news.

https://www.psychologytoday.com – What is Psychological Shock and 5 Tips for Coping. How to deal with unexpected traumatic events.

Ken Austin says:
8 June 2019

BT should not allow spoofing of numbers. I believe it is to protect callers who genuinely need to be anonymous. To cover that all spoof numbers should just be 000000000

@gmartin, George, it would be useful if Which? asked BT to explain to the layman how HMRC numbers can no longer be spoofed and how this solution can be applied elsewhere (or what prevents it).

Sandra Andrews says:
8 June 2019

I have a Virgin phone line and received a similar call supposedly from HMRC a few months ago – but with a woman’s voice. I logged onto the HMRC website to check if there were any messages from me and, of course, there weren’t.

RGradeless says:
8 June 2019

In line with the banks’ plans to refund victims of bank transfer fraud I assume we can expect HMRC to refund the victims of these tax frauds. It would be unjust to require one organisation to make refunds but not another.

The Government’s own “take five” promotion in my opinion is weak and not helpful. The message should be not to answer ANY calls or texts that you dont recognise. If you do answer by mistake just put the phone down. All genuine communications come by post or email stating your full details.

Also the phone companies could easily stop these spoofs but it is not in their interests. Why else would there be extortionate phone rates that cannot be terminated. How without the phone companies turning a blind eye can false number displays be possible….its not the spammers system.

When I complained to DVLA and my MP about high priced phone connection websites to government offices I was totally ignored. Disgrace.

Jo Jaidev says:
8 June 2019

I’m puzzled by this! Are we to believe that HMRC, or any other government organization, for that matter, initiates the recovery of money owed through a phone call spoken by a robot?! No written demand?
Surely the universal message ought to be to ignore all these calls and wait for a letter! Tell every elderly person you know especially those living alone. I tell everyone over the age of 60 who cares to listen!

Agree the extortionate rates of phone calls to all government organizations has to be stopped. I did not know until last week that 101 calls were charged! They have decided to stop that and congratulations to them! There is hope!
Jo

Michael Thompson says:
9 June 2019

How anybody with two neurones to rub together could be fooled by that message is beyond me. It shouts ‘fraud’ from the off!!

Janis says:
9 June 2019

Earlier this year I was being bombarded with emails which purported to be from HMRC. They contained numerous links which recipients were encouraged to click into. HMRC confirmed that the emails were indeed from HMRC but wouldn’t comment on my complaints that because the emails contained nothing to indicate that they were genuine, HMRC was irresponsibly encouraging people to access emails which contained none of the basic indicators that they were likely to be genuine.

In earlier years I received calls from HMRC (which I later found out were genuine) when the caller would not tell me what the call was about unless I told them my date of birth !! Obviously I refused to give them the information they requested.

My MP raised this (and other issues) with HMR on 2 occasions, but even she received no response. This indicates that HMRC is a law unto itself and has done nothing to ensure that people know what they should be looking for to identify fraudulent communications – in fact quite the opposite.

I’d like to see links stopped in emails. They simply ask you to go to the organisation’s normal website (you can Google it if you don’t have it saved) and deal with them from there. If an organisation wants to talk to a registered client then you can either phone them yourself, or use a logged-in secure messaging service. But for this to be usable requires a quick response. So investment in people and systems. If I phone my energy company and they are busy with other callers they will, of I wish, arrange a time to call me back. Surely not beyond the capability of HMRC (and others)?

I agree. Links in emails have been so thoroughly compromised by criminals it’s time they were eliminated. They have some use, however, between friends and known trusted associates, but not a use we couldn’t manage without.

Kevin says:
9 June 2019

I agree encouraging customers to click on a link in an email is normalising a risky practise.
However, relying on a search engine to locate a definitive link is probably as risky. There’s no easy solution to this, but customers need to take some responsibilty to educate themselves on the technology, and banks need to take a more proactive role providing straightforward systems and security, and simple best practise guides.

What is unacceptable is that well known banks will use a different domain in the link to their real domain name (eg domain should be xbank.co.uk, but the email link will be for xbank-service.co.uk).
This is common practice with HMRC too.Typically the link resolves to some third party marketing company the organisation has contracted out to, so even an ‘educated’ user cannot check that the SSL certificate matches their bank.
Technically the bank could as easily use service.xbank.co.uk, which would have a valid certificate, but either the marketing dept overules the security dept, or the security dept are incompetent. Either way, it says volumes about regulation and compliance of British banking, and the lip service banks pay to security when it conflicts with their bottom line.

Nancy Dunne says:
10 June 2019

The telephone companies should block calls that are not showing a correct Caller Line Identity. All potential scam calls I receive are spoofing the number shown on screen. I bought a call blocking phone to stop the spoofed number calls. When the scammers are asked to announce themselves they hang up and I’m unaware of the call. When I’m expecting an important call but don’t know the callers number I switch call bocking off and I receive a scam call within a few days.