Muras Matters: HM Revenue & Customs and ‘Phishing’ Emails

HM Revenue & Customs
And ‘Phishing’ Emails


On Friday HM Revenue and Customs (“HMRC”) issued another warning of ‘phishing’ emails being sent out by fraudsters. This follows the warnings in the run up to the Self Assessment deadline in January, and with the worldwide ransomware virus issues of the last few days, it is essential to be vigilant with all such supposed official correspondence.

The latest warning was in regard to emails with the subject ‘Your 2016 Tax Report’, complete with attachment. HMRC advise that such an attachment should not be opened, and should instead be forwarded to them and then deleted.

It is not just emails that fraudsters will use to try to obtain information and there have been instances of text messages supposedly being from HMRC, notifying that a refund is due to the taxpayer.

It is common for these notifications to promise refunds and include a link to a fake replica of HMRC’s website. The website then asks for credit or debit card details, passwords or other sensitive information, which will then be used to try to take money from the victim’s bank account or steal their identity.

How to tell if an email is fraudulent

Here is a list of things to watch out for when receiving suspicious emails:

  1. Spelling mistakes and poor grammar.
  2. Incorrect email address – the sender usually has a similar but not exact match to an authentic email address.
  3. Personal information – authentic HM Revenue & Customs emails will never:
    • notify you of a tax rebate;
    • offer you a repayment;
    • ask you to disclose personal information such as your full address, postcode, Unique Taxpayer Reference or details of your bank account;
    • give a non HMRC personal email address to send a response to;
    • ask for financial information such as specific figures or tax computations, unless you’ve given them prior consent;
    • have attachments, unless you’ve given prior consent;
    • provide a link to a secure log-in page or a form asking for information – instead the Revenue will ask you to log on to your online account to check for information.
  4. Urgent action required – be wary of emails claiming to be from the Revenue and containing phrases like ‘you only have 3 days to reply’ or ‘urgent action required’.
  5. Bogus websites – links to these are contained in the fake email and used to capture bank details and other confidential data.
  6. Common greeting – fraudsters seldom have your name and will often use greetings like ‘Dear Customer’. HMRC usually use the name you’ve provided.
  7. Attachments – these could contain viruses designed to steal your personal information.

These emails are, of course, not restricted to Self Assessment and all taxpayers are at risk. HMRC have confirmed they will never ask people to disclose personal or payment information by email and have asked those receiving such requests to forward emails to

If you have any questions on the above or if you are concerned about authentic correspondence from the Revenue please contact our Tax Director, Jenny Marks.

To see our other news items please visit our Muras Baker Jones – Blog.