Her Majesty’s Revenue & Customs have just urgently contacted me and all other accountants; about scam self assessment submission emails being sent following the submission of genuine tax returns and issued the following notice:
2.3 Government Gateway Registration Notification – email scam
HMRC is aware of a bogus email being circulated advising customers to check which services they use. The email has an attachment which should not be opened as it contains a virus.
Do not respond to the email and delete it immediately.
The emails are sent from a legitimate looking email address ending in gateway.gov.uk and include a ZIP file and a reference number. When accessed as a website, the gateway.gov.uk website bears the Gov.uk logo but is in fact a fake site.
At Morgan Jones we had two such emails last Saturday, both stated the self assessment tax return submissions were received by HMRC, but were not processed. The email went on to suggest we click on an attachment to view the submission error report. Luckily my partner Simon Cook first checked the Revenue’s online portal, which said the tax returns had been received successfully.
Simon then immediately contacted HMRC to report the emails and was asked to forward them to firstname.lastname@example.org
HMRC have further advised those potentially affected to keep an eye on their dedicated webpage which is updated regularly with known fake email addresses and scams. Those in receipt of such emails should forward them to and delete them immediately, without opening any attachments on: http://www.hmrc.gov.uk/security/reporting.htm. Examples of phishing emails, letters, bogus callers, SMS text messages can be found at: http://www.hmrc.gov.uk/security/examples.htm.
Aaron Yates, managing director of web adviser firm Berea, said that phishing against businesses is on the rise and it is easy for the fraudster to get email addresses as most businesses, including small concerns, publish their email addresses on the net and in their regular advertising, such as Yellow Pages.
He commented that, by far the biggest rise in this type of crime is against accountants. “It is one of the easiest points of entry in cyber crime. As with most cyber risk the employee is often the weakest link,” he said and explained exactly what the process is:
Phishing is primarily used to encourage one of two actions:
- You click a link, or download an attachment, which installs malware such as CryptoLocker, or a trojan, key logger
- You click a link and disclose a username and password. Most people reuse passwords, therefore all other accounts (especially those in the cloud are vulnerable) may be easily compromised after the attack and then the fraudster has access to the information on all of the accountants clients.
His tips on dealing with a phishing email are as follows:
- If you don’t know the sender, don’t trust the content
- Never click a link or download an attachment until you’ve verified the email and its sender is legitimate
- Your bank will never email you asking for your username or password. If you need to access online banking, go directly to your bank’s website
- Always report all phishing emails to a relevant body. These parties should then take action to stop the cyber criminals
- Don’t use the same password twice, and always use complex passwords as defined in a password policy. Change all passwords at least quarterly. Password management software is available to make this process easier and less burdensome on the individual
- An email antivirus gateway, and regularly updated anti-virus software on your device, is a necessity should something malicious sneak through
- If an email seems too good to be true (“you’ve inherited £4m”), or the emails seems a little suspicious (“payment card details incorrect”), delete it
You have been warned!