With the deadline for self-assessments tax returns this Friday, ‘smishing’ scammers are looking to take advantage. Have you been sent a dodgy SMS text message?
Have you done your tax return yet? Whether or not you have (I can smugly report that mine is done and filed), you might well have had a text claiming to be from HMRC announcing that you’re due a refund.
The bad news is that it’s not from HMRC, and if you are due a refund, first, congratulations, and second, you’ll have heard about that by post – not via a text message.
We’re all familiar with emails that arrive in our inboxes claiming to offer tax refunds, imploring us to ‘verify’ our account details and announcing that a Nigerian prince would like to park hundreds of millions of dollars in our bank accounts and give us a cut of the loot for our trouble.
‘Popular season’ for scam attempts
This time of year is a popular one for fraudsters as they attempt to trick us into handing over our log-in details.
Indeed, we warned about phishing emails claiming to be from HMRC three years ago.
However, the scammers have added another string to their bows: SMS phishing messages, known as ‘smishing’, and we’ve noticed a bit of a flurry of them recently as scammers hope to capitalise on the fact that many of us are thinking about doing our tax return and that we’d all love a tax refund.
How can you spot one? The same principles apply to SMS messages as to emails – look at the URL they want you to tap through to. Here are two examples:
In the first, the URL is hmrc.co.uk-pending-payment.online. At first glance, that looks legit: it’s got ‘hmrc.co.uk’ in it. But it’s fake.
First, HMRC’s actual website is:
Second, that URL in the image has nothing to do with HMRC. The key is to look at the end of the URL – in this case, the domain is uk-pending-payment.online.
In both these examples, the scammers have used a subdomain. This is a way of organising websites to help people navigate to the right place, and you can create as many subdomains as you like on a domain you own.
For example, conversation.which.co.uk is a subdomain of which.co.uk.
What these fraudsters have done is create hmrc.co as a subdomain of uk-pending-payment.online.
On our second example, the full URL is:
The actual domain is app08.net, and the subdomain is refund.hmrc.gov. In this case they’re also trying to send you to a specific page on the site they set up. That’s the bit after the slash: back.html.
We’re pleased to see that both of these sites have now been taken down.
Reporting smishing texts
Suspicious texts like these should be reported to HMRC on 60599. You can also report phishing emails to it directly using firstname.lastname@example.org
What’s confusing, though, is that HMRC does send out legitimate texts urging you to get on with doing your tax return.
The scammers rely on people having had these texts and going on to assume that the scam ones are also real. This is what a genuine HMRC text looks like:
As you can see, there’s no URL and, because they’ve all come from the same SMS provider, they appear as a thread in your SMS app.
HMRC also has a guide on its website to how to recognise genuine emails and texts from them.
So how good are you at recognising a phishing email or smishing text?
Test yourself with Google’s online phishing test (it’s safe to put in the details they ask for, by the way) and let us know in the comments how you got on. (I got them all correct, for the record!)