/ Money

Tax return deadline: watch out for ‘smishing’ attempts

With the deadline for self-assessments tax returns this Friday, ‘smishing’ scammers are looking to take advantage. Have you been sent a dodgy SMS text message?

Have you done your tax return yet? Whether or not you have (I can smugly report that mine is done and filed), you might well have had a text claiming to be from HMRC announcing that you’re due a refund.

The bad news is that it’s not from HMRC, and if you are due a refund, first, congratulations, and second, you’ll have heard about that by post – not via a text message. 

How to spot the biggest HMRC tax scam tactics

We’re all familiar with emails that arrive in our inboxes claiming to offer tax refunds, imploring us to ‘verify’ our account details and announcing that a Nigerian prince would like to park hundreds of millions of dollars in our bank accounts and give us a cut of the loot for our trouble.

‘Popular season’ for scam attempts

This time of year is a popular one for fraudsters as they attempt to trick us into handing over our log-in details.

Indeed, we warned about phishing emails claiming to be from HMRC three years ago.  

However, the scammers have added another string to their bows: SMS phishing messages, known as ‘smishing’, and we’ve noticed a bit of a flurry of them recently as scammers hope to capitalise on the fact that many of us are thinking about doing our tax return and that we’d all love a tax refund.

How can you spot one? The same principles apply to SMS messages as to emails – look at the URL they want you to tap through to. Here are two examples:

In the first, the URL is hmrc.co.uk-pending-payment.online. At first glance, that looks legit: it’s got ‘hmrc.co.uk’ in it. But it’s fake.

First, HMRC’s actual website is:

https://www.gov.uk/government/organisations/hm-revenue-customs.

Second, that URL in the image has nothing to do with HMRC. The key is to look at the end of the URL – in this case, the domain is uk-pending-payment.online

Subdomains explained

In both these examples, the scammers have used a subdomain. This is a way of organising websites to help people navigate to the right place, and you can create as many subdomains as you like on a domain you own.

For example, conversation.which.co.uk is a subdomain of which.co.uk.

What these fraudsters have done is create hmrc.co as a subdomain of uk-pending-payment.online.

On our second example, the full URL is:

refund.hmrc.gov.app08.net/back.html.

The actual domain is app08.net, and the subdomain is refund.hmrc.gov. In this case they’re also trying to send you to a specific page on the site they set up. That’s the bit after the slash: back.html.

We’re pleased to see that both of these sites have now been taken down.

Reporting smishing texts

Suspicious texts like these should be reported to HMRC on 60599. You can also report phishing emails to it directly using phishing@hmrc.gov.uk

What’s confusing, though, is that HMRC does send out legitimate texts urging you to get on with doing your tax return.

The scammers rely on people having had these texts and going on to assume that the scam ones are also real. This is what a genuine HMRC text looks like:

As you can see, there’s no URL and, because they’ve all come from the same SMS provider, they appear as a thread in your SMS app.

HMRC also has a guide on its website to how to recognise genuine emails and texts from them.

So how good are you at recognising a phishing email or smishing text?

Test yourself with Google’s online phishing test (it’s safe to put in the details they ask for, by the way) and let us know in the comments how you got on. (I got them all correct, for the record!) 

Comments
Ian Cooper says:
31 January 2020

I completed my tax return earlier this month. Probably through coincidence (at least I sincerely hope so) had a recorded telephone message, which began by telling me I need to act quickly to avoid legal action and asked for my national insurance number. At this time I was in the process of hanging up, but I suspect this was a scam call connected to HMRC.

Do Not Bother Me says:
1 February 2020

https://phishingquiz.withgoogle.com/

An interesting choice of domain! Made to look like a real google.com sub-domain.

If legitimate companies do this, it is no wonder we fall for the scammers.

Nice one closing down the dodgy domains. When will we hear that the crooks have been prosecuted?

The site might seem dodgy, but in this instance it is actually a legitimate site. The “WithGoogle” domain is a Google domain that enables non-profits and others to experiment using the suite of Google tools to build different projects. Here’s a few projects that are showcased: https://experiments.withgoogle.com/

Strong point on how legit companies don’t necessarily engender trust by doing this though, not least since this isn’t very well known.