What is an impersonation scam?

An impersonation scam is where you're convinced to make a payment to someone claiming to be from an organisation you trust. This could include a bogus tax refund offer or providing your bank details to “your bank”.

Often, these scams begin with a call, email or text message that appears to be from a trusted organisation. Criminals use a tactic called spoofing to make their call or text message appear genuine by cloning the number or sender ID the organisation uses. Criminals copy designs and the branding of genuine websites to trick people into handing over their personal information. These details are then used to access people's bank accounts or are sold on.

How to spot an impersonation scam:

• You receive a call, text or email out of the blue with an urgent request to make a payment or request for your business's financial information.
• You're asked to act immediately, sometimes with the claim that “payments need to be verified” or to claim “a pending tax refund”.
• The caller may ask you to download software onto your computer/mobile device.
• The sender's email address domain is different to that of the genuine organisation.

Example of pending tax refund

You receive an email from what appears to be HMRC informing you that you are eligible for a tax refund, with a link leading to the “official claim application form”. Some extra funds would be great as you need to start paying off that holiday! You click the link and hurriedly fill out the form, not wanting to miss the stated deadline. However, you failed to notice that the email you received was, in fact, not from HMRC, the link the email contained was inconsistent with the official GOV.UK's URL and the email addressed you as “Dear Customer” instead of using your full name. The form you had just completed with all your personal information was also fake.

Several days later, you notice transactions you don't recognise on your bank statement.

If only you had taken a moment to contact HMRC directly to validate the request prior to completing the form and handing over your details.

HMRC — How to protect yourself

Do not click or open attachments or links in unexpected emails and messages (they may contain malicious software).

Do not type your bank or card details into a website link (this may result in unrecognised transactions).

Please be advised that HMRC sends text messages to some of its customers. In the text message, they might include a link to GOV.UK information or to HMRC webchat. HMRC will never ask for personal or financial information when they send text messages.

HMRC uses QR codes in 2 different ways:

• QR codes are sometimes used in letters and correspondence, but only to guide you on GOV.UK — they will not take you to a page where you have to input personal information.
• When you are logged into your HMRC account, a QR code may be used to redirect you, for example, to your bank login page.

If HMRC uses QR codes in communications you'll be able to see them on the genuine HMRC contacts page.

What to do if you've fallen victim to a scam?

If you believe you have fallen for a scam, immediately contact your bank on a number you know to be correct, such as the one on the back of your bank card.

To help fight phishing scams, you should send any suspicious HMRC text messages to 60599 (network charges apply) or email phishing@hmrc.gov.uk, then delete them.

Visit https://www.takefive-stopfraud.org.uk/ for further information.

References

1. https://www.gov.uk/government/publications/phishing-and-bogus-emails-hm-revenue-and-customs-examples/phishing-emails-and-bogus-contact-hm-revenue-and-customs-examples
   
2. https://www.takefive-stopfraud.org.uk/advice/business-advice/impersonation-scam-business/
3. https://www.independent.co.uk/money/hmrc-tax-return-scam-refund-b2496030.html