/ Motoring

Did scammers know about my DVLA renewal?

We’ve covered DVLA scams before, but this one caught my eye due to how closely-tied it was to my real vehicle tax renewal. How did the scammers know?

While the last scam DVLA email we looked at told drivers that they were ‘not up-to-date’ with their vehicle tax, this one takes things one step further.

When I received my vehicle tax renewal in the post a while back I, like most people these days, opted to pay it online.

Everything went through as normal, but just two days later, an email appeared in my inbox that made me look twice.

Your latest vehicle tax payment failed

Even though my account flagged the message as spam, the professionally worded subject title, along with the presence of the ‘customer number’ made me open things up for a closer look.

Fortunately the email address it came from acted as a dead giveaway, but the email arriving so close to my legitimate renewal does beg the question; had my data been leaked somewhere? How did the scammers know?

DVLA and Which? advice

I let our consumer rights expert, Amelia Wade, know about the email – she got in touch with the DVLA to ask them about the scam.

Amelia Wade

The DVLA assured us its sytems are secure, built to government standards and checked regularly for any vulnerabilities.

It is, however, good practice to regularly clear your browsing data, keep your browser up-to-date, ensure you’ve got a good antivirus software and have good password hygiene.

Scammers are becoming increasingly conniving, so trust your spam filters and take pause to think if you’re being asked to input payment details after following a URL.

It can’t be ruled out that this case in particular could have been a coincidence – it’s not uncommon for scammers to chance their arm with multiple emails at different times.

With clever DVLA scams targeting drivers regularly, we’ve written a new guide on how to spot them, so you can stay ahead of the fraudsters.

Read our new guide to DVLA scams

We’ve included examples of the scam texts and emails themselves, as well as advice on what to do if you think you’ve followed a scam link.

Have you received a DVLA scam email just days after your real vehicle tax renewal was due? Let us know if they were clever enough for you to open them up, and if your spam filters were on the ball.

L Smith says:
29 December 2020

Same happened to me – a few days after I had paid online, got an official looking email. Surely this is happening to too many people to be coincidence? Maybe DVLA need to tighten things up a bit.

S Talbot says:
14 June 2021

I’m not sure DVLA could stop counterfeit emails from scammers, that are bulk sent and rely on chance/coincidence. As the other comments confirm, some get the scam email, even where they don’t have a car. It only appears legitimate when the email is set to someone who has just paid their car tax.

2 weeks ago renewed vehicle tax on line with DVLA Received successful application. Today just received text message from 44 7961 031855, DVLA We have identified that you have an outstanding tax refund from an overpayment please follow https.tax refund

Barry Dawson says:
2 January 2021

Simple answer to this which is what I did when I received it, go on the DVLA vehicle tax check site punch in your reg number and it will tell you whether the vehicle is taxed or not.

Baron Wilder says:
11 June 2021

Maybe that is how they find out when your tax renewal date is due?

Jess Allaway says:
11 June 2021

Happened to me exactly like you describe. Email telling me my payment had failed and my licence was therefore invalid until paid for.

I’ve had a couple of these and I don’t even drive or own a car

Tony says:
11 June 2021

This happened to me also, there MUST be a DVLA issue.

The reason I say this is that it wasn’t a renewal but a NEW registration.

We used the computer in the VW dealership to change keeper, set up a direct debit – and got the scam email pretty much the next day.

Too much of a coincidence.

It’s possible to enter the number of any UK registered vehicle into the DVLA website and find out if it has tax and MOT, AND when these are due for renewal! With scammers these days becoming ever more sophisticated, it could be that the scammers have a database linking vehicle registration numbers with owner email addresses, (perhaps a phishing scam has revealed this to them). With these two pieces of information it would be easy for a scammer to send emails about tax renewal around about the real date of renewal.

P smith says:
12 June 2021

More likely their email accounts were compromised

I agree with P Smith. The dealership probably has an insecure system and should be reported to the Information Commissioner’s Office. It is also possible that there is a rogue in the DVLA with access to new registration details but that would be so elementary I would hope the DVLA have made it impossible. The DVLA is not perceived to be insecure but I wouldn’t be so confident about a motor trader’s operation.

Phil Higdon says:
12 June 2021

I had a few of the old DVLA scam emails and texts but not had this new one yet. I just deleted them due to 1 not having a vehicle and 2 I don’t drive full stop.

David J Allen says:
13 June 2021

I got scammed for £80 for a renewal over 70s driver’s licence. This renewal is free of charge. I complained bitterly and eventually got back £30 but I still feel cheated. Is there anything else I can do?

I don’t think there is, David. There are numerous unofficial websites offering checking and submitting services for DVLA functions. I expect that somewhere on the website you used there is a notice making it clear that they are not affiliated to the DVLA and that a licence renewal is available from the DVLA without charge.

Rebecca says:
13 June 2021

We received a scam text about paying too much vehicle tax just minutes after I’d renewed our tax online. Something tells me someone is accessing the DVLA data and they don’t know it yet

Thank goodness you realised it was a scam, Rebecca. I assume you used the gov.uk website to when you purchased the vehicle tax. Is there any possibility that your computer or router is not secure?

Andy says:
13 June 2021

A lot of websites ask for your reg number (Halfords, Amazon etc) when shopping for car accessories. It’s quite possible that’s the route in – cookies? – and as has been said the tax expiry dates are effectively public information now. I had something very similar last year. Didn’t fall for it though.

Andy – I thought cookies were a possibility, loaded onto Rebecca’s device when she might have been browsing websites with a motoring content. But she received a text message. How do the scammers get the mobile phone number in order to send a text? I appreciate that many people have had to give their mobile number for all sorts of purposes, and if there is no other means of contact it is unavoidable.

The reason you are asked for your car registration is so you are offered parts and accessories specifically for your car. It should save you buying the wrong item.

You can usually search for what you want without entering your car reg though.

You can check the Tax and MOT status for any vehicle on these government sites

You will also see the dates when Tax is due and MOT expires.

Car parking vultures maintain databases of car ownership and driver details including addresses. Can they be trusted to use data honestly?

Rakesh says:
13 June 2021

same thing happened to my dad when he sent off is passport, got a TXT message from Royal Mail asking for 2.99 for delivery the usual scam.

the thing is i’m internet savvy. ( worked in it for over 25 years) i know how to secure details. My father doesn’t do Internet shopping. his mobile number is not out there.

What i suspect is that the chain of custody of data is sent aboard. Its very easy for a guy overseas with access to data to sell it on.

When i started working at a investment bank the first day i had mail. I looked in my cubby and it was a flyer for a tailor. Now i’ve actually used this tailor before. But how did he know when i’d be starting in a new company? He didnt. I have no proff but again i suspect that somewhere along the chain when a new user is created that data is leaked to a interested third party.

Pete says:
14 June 2021

The DVLA say their systems are “built to government standards”…….so, about as reliable as johnson, hancock, shapps et al……

Pete – The major difference being that the three you have identified were chosen by the people. I would hope that government standards for administrative systems were at least determined objectively and basically fit for purpose.

I think we expect too much of politicians. They have no expertise in the subjects they are called upon to promote and defend, but that is seen as an advantage.

The DVLA allow all sorts of businesses access to people’s information, for a fee. This is used by private parking companies etc. Surely a scammer just needs to register with DVLA as one of these companies, pay the fee, then they can type in any registration and get the full details of the owner.

Is there evidence of this, Paul? I presumed that parking companies pay a fee each time they request a number. I do hope that they do not have unrestricted access to the DVLA’s database.

The parking companies that have access to DVLA information for enforcement purposes have to be members of one of the recognised industry trade bodies which are authorised and bound by a code of conduct. Because parking charge notices can ultimately result in court proceedings, there has to be a paper or electronic trail connecting each data request to a particular enforcement action. An individual without a substantial parking control operation and good industry credentials would find it difficult to become a member. As well as representing their members these authorised organisations are there to protect their members’ trade and there would be huge reputational damage if it became known that parking enforcement processes had been infiltrated by illegitimate agents for other purposes.

Paul – When you use the phrase “private parking companies etc.”, apart from other law enforcement agencies, MOT testing stations and motor insurance providers, what other organisations are comprised under the “etc”? I don’t think that even the roadside recovery services have access to full details of registered keepers.

Hi; I understood they paid a fee rather than pay for each enquiry. More digging is, I think required. Whichever way it is I would expect the DVLA to keep my data secure and not hand it out to private companies and individuals.

Not sure, I will have to try to find out. Maybe a FoIA request. I did see a list somewhere. If scammers are getting information from the DVLA and it is not by one of the companies that can buy data I suppose there is always the possibility of a DVLA employer, or even police officer, getting the information. I wonder whether the DVLA keep a record of who asks for details on which registrations.

I have stuck with a paper letter advising me of when to renew tax. That has a code at the top and gives the exact internet address to go to.

Hi Paul – I have found this document which outlines the reasons for data release by the DVLA and the contractual requirements placed on parking companies: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/861052/inf266-release-of-information-from-dvlas-registers.pdf

Perhaps it would be better if the parking companies provided the DVLA with the required details and the parking charge notices sent by DVLA on behalf of the parking companies, so that our personal information remains within DVLA. I share your concern about possible misuse of information.

“Perhaps it would be better if the parking companies provided the DVLA with the required details and the parking charge notices sent by DVLA on behalf of the parking companies”
I would not want it to appear that a Government Agency was issuing parking penalties on behalf of private companies, and seeming to give them Government official status.

I presume that the process would be automated and DVLA would simply facilitate the process. I don’t want parking companies to be given access to my contact details. Are you happy with the present arrangements, Malcolm?

Paul Sullivan – Thanks for the link. I did not see your post until it had been approved.

I can see that plenty of information about a vehicle but I cannot see any indication that would allow access to names and contact details.

Landowners, private car parking companies and trespass management companies
Private car parking facilities provide a vital service in towns and cities throughout the UK. Many shops, hotels, pubs and doctors’ surgeries are affected when motorists park their vehicles in breach of a car park’s terms and conditions. Properly controlled data release from the DVLA vehicle register helps these organisations operate effectively for the benefit of all motorists.

A motorist who parks a vehicle on private land does so subject to the terms and conditions set out on the car park’s signage. It is considered reasonable for businesses and landowners to seek redress if vehicles have been parked in breach of the terms and conditions. This could include overstaying the permitted time period, failing to pay the relevant charge or trespassing on land where parking is not allowed.

Vehicles may also have been inconsiderately parked, for example in a space reserved for disabled motorists when not entitled to or obstructing access for emergency vehicles.
DVLA provides data to allow landowners or their agents to pursue their legal rights and resolve disputes.

To make sure motorists are treated fairly when any parking or trespass charge is pursued, DVLA
will only provide vehicle keeper details where the company is a member of an Accredited Trade
Association (ATA). ATAs enforce a code of practice which covers many aspects of a car parking operator’s business. While complying with the code of practice is an important consideration for DVLA when releasing vehicle keeper data, not all requirements of the code affect reasonable cause.

DVLA will not disclose data to parking or trespass companies who are not members of an ATA.
We expect the ATAs to monitor adherence to the code of practice and investigate and address
non-compliance when it arises.

My main concern would be to set sensible limits on parking penalties and parking fines, not the extortionate ones currently made by both private and public operators.

That is a separate issue from DVLA passing on contact details to parking companies. I have suggested an alternative that would eliminate the possibility that would eliminate the possibility that personal information could be misused, which is Paul’s concern.

It is a separate issue but more important to me to address. The DVLA deal with data security. Have we had many instances – or any – where the data has been misused?

I think the DVLA statement on parking enforcement operators’ access to registered keeper details covers all the right points. I am satisfied with it.

Given that there will inevitably be correspondence and further action following the issue of a parking charge or penalty charge notice it seems pointless for the DVLA to act as agent in the initial administration of the notice. It would be a costly and cumbersome arrangement. I can’t see the DVLA wishing to act in that way either.

We might have a low opinion of parking enforcement companies but they are under considerable regulation and scrutiny, not least by the adjudicator in an appeal where misconduct or abuse of process could lead to the cancellation of the ticket. Their clients would not want that to happen on any scale and their membership of their accredited trade organisation would be terminated making further trading unviable, if not impossible.

Unless the present process is demonstrably corrupt I consider it best to leave it alone under the eyes of the ICO, the DVLA and the respective ATA [Accredited Trade Association].

John – I have suggested an automated process. When we use a debit card into an ATM belonging to another bank, sufficient information has to be exchanged to establish whether there are sufficient funds available and the cardholder is within their daily limit but it does not mean that the ATM owner has access to full details of the cardholders account.

Parking enforcement companies are only getting the names and addresses of registered keepers of the specific vehicle from the DVLA, not all the data the agency holds.

I question whether the DVLA should become aware of how many parking contraventions each vehicle keeper and driver has accumulated and where; that is not necessary for their primary activities. There is a risk that within the DVLA’s systems parking contravention information obtained from various operators could become aggregated either by accident or intentionally. Such data could then be open to interrogation for purposes unconnected with parking enforcement or driver and vehicle licensing.

Since the issue of a PCN will produce either a payment or a letter of objection I don’t see the point of involving the DVLA’s systems in the process, whether automated or otherwise. It will implicate the DVLA in the enforcement process and I do not see the justification for that. Parking enforcement operators need to keep registered keeper details for every enforcement event so they will obtain the data in due course.

I doubt the DVLA would want to set up a new data processing and notice issuing operation and have to reset the stationery format of the documents for every different parking company. It’s not difficult but an unnecessary complication in my view. And I don’t suppose local authorities would willingly let go of their control over the process for on-street and public car park enforcement. To me it seems like a solution looking for a problem.

We are having this discussion because it has been conjecturally postulated that parking enforcement companies are unfit to control and manage data properly. I think we should have the evidence before exploring this any further. There are enough real problems to contend with in life and parking enforcement without worrying over “What if?”s!

We would not have much discussion if we had to support all our posts with evidence, John.

I see that a set of ‘thumb’ votes has been removed since my previous visit. You might assume that I did that, but I did not.

I agree we are entitled to discuss, conjecture, chat and postulate without evidence in order to have a conversation. But when comments make assertions then it is wise to consider how those can be backed up, otherwise they can be misleading. It is not easy to stick to this principle when making quick responses on the hoof.

I had this exact same email
I don’t have a driving licence ….

Ian Robson says:
18 June 2021

Not a difficult scam to perpetrate, all renewals are 1st of the month, so just blanket Mail your usual list of emails on say the 5th of the month and you’re going to hook a few.

Paul Robinson says:
19 June 2021

Skimming through the responses I get the impression there is a lot of dismissal of peoples concerns going on. I applied and paid for a replacement driving licence, something I have not done for 20 years since i live overseas. The next day I received an email stating my payment was not finalised with a link to http://www.vehicleonlineservices.co.uk requesting my credit card details. I checked and my original payment had indeed been processed. I use VPN and bitdefender security and I am pretty careful with my online business so there is something else going on here.

Bev Poynor says:
5 July 2021

Just received scam email, what is most suspicious is, I paid for my sons tax (not my car) on his behalf. They most definitely have access to payment details to have my email address

That’s really interesting, was it right after payment or did it take a day or so? I would be curious to see how quickly that scam email came in?