HMRC have responded to a recent report in the Sunday Times that criminals have hacked into taxpayers’ online tax returns and have flatly denied that it’s happening.
What Might cause The Times Think HMRC have been hacked?
The Sunday Times highlighted an incident involving Jackie Annesley, the Sunday Times Style Magazine’s editor, who alleged criminals had falsified her tax return in order to steal £1,826. Annesley received notification concerning suspicious activity occurring on her self-assessment account. After the hacking attempt, Annesley said: “You have to think the fraudsters are cleverer than HMRC.”
HMRC has reassured taxpayers and accountants that its systems remain secure and stated categorically that there hadn’t been a breach in their security. They then proudly trumpeted that they have intercepted more than 17,000 fraudulent or incorrect repayment claims out of the 3.4 million which have been processed.
However when pressed, the HMRC spokesperson admitted that there had been a number of successful fraudulent hacks into taxpayers’ self-assessment accounts, but stated that this wasn’t a result of failures in their systems but more likely to be negligence on the part of the taxpayer.
He went on to suggest that the Annesley incident was most likely due to her or her accountant not keeping their details secure or their systems secure.
Phishing attempts Using HMRC Clothing
The self-assessment season this year saw a marked increase in phishing emails claiming to be from HMRC. Commenting at the start of January, Brian Spector chief executive of MIRACL the web security firm, warned: “With all the financial data involved in a tax return, a criminal could potentially take out a mortgage in your name. Data theft and identity fraud is a multi-billion dollar business on the dark web, and so consumers must be vigilant.”
Phishing attempts come in many guises
An HMRC spokesperson responded: “Our online services have not been hacked and remain secure. We take our obligations around protecting customer data extremely seriously and have systems in place to review suspicious activity and monitor access to accounts. It’s only right that when appropriate we contact taxpayers and any agents acting to alert them to any concerns.”
HMRC recommends anyone concerned to keep their online credentials safe and to follow best practice regarding changing passwords and have directed taxpayers and accountants to visit their website for further advice on the subject.
How do the hackers get access to Government Gateway Users?
HMRC has admitted it is aware of cases where criminals have harvested log-in details from shared computers used by taxpayers to complete their online returns. The criminals use the harvested log-in details to alter a user’s tax return and nominate a bank account under the gang’s control to receive the refund.
A HMRC spokeswoman said that taxpayers should be especially careful of their log-in details and passwords and ensure they are kept secure and warned against using ‘shared’ computers such as those in an office or internet café to complete their tax return or conduct any form if financial transaction.
Brian Spector commented:
“members of the public should take extreme care when using so-called ‘free wi-fi’ in places such as cafés, pubs, shopping centres and the like. In these open access places, the wi-fi is not usually encrypted and is particularly vulnerable to hackers”.
Email addresses and further information
HMRC will never send notifications of a tax rebate/refund by email, nor will they ask you to disclose personal or payment information by email or by text messaging. They have advised that taxpayers should not visit the website contained within the email or disclose any personal or payment information.
For further information and a list of most commonly used spoof email addresses used to distribute the tax rebate scam emails have been listed by HMRC on their website page ‘Phishing and scams’. To find out more go to: https://www.gov.uk/topic/dealing-with-hmrc/phishing-scams
Is the taxman really blameless?
Despite HMRC’s robust denials that their systems are robust and that any fraud must be the fault of taxpayers; whilst they blocked over 17,000 attempts last year, how many more attempts were actually successful?
A web fraud security expert commented that given HMRC’s past reputation for ‘leaky software’ it is inconceivable that they stopped every attempt and anecdotally the true number is nearer 30,000, which is probably why the taxman introduced a range of new security measures this year, including ‘2 Factor Authentication’ to reduce the risk of fraud.
If you would like more detailed information on some aspect of UK Tax, send me an e-mail and I’ll be pleased to advise further.
David Jones is the Senior Partner and Founder of Morgan Jones & Company. Born in Liverpool and an Accountancy graduate of the University of Wolverhampton, David spent twenty years working for the Customs & Excise in London then Shrewsbury before starting his own business. David's depth of knowledge of the UK tax system and his ability to communicate this learning has seen Morgan Jones & Company grow into Shropshire's most respected Accountancy Practice.