Don’t get caught out by fraudulent emails and phishing scams

24th July 2017

Online fraudsters are becoming increasingly sophisticated in the presentation of fake emails, making it harder than ever to spot when an email is real. To help you stay safe, we’ve put together a guide on how to spot the latest phishing scams and what to look for to make sure that you only interact with genuine emails.

What is a phishing scam?

Scammers use phishing and other types of social engineering to try to trick you into sharing personal information—such as passwords or credit card information. It can happen by email, phone, text message, or even through pop-up notifications when you’re browsing the web.

How to spot phishing activity

Scammers often use messages and notifications that are designed to look like they’re from a legitimate company or a person that you know. However there are some common signs of possible phishing attempts to look out for, including the following:

  • The sender’s email address doesn’t match the name of the company that it claims to be from.
  • The message was sent to an email address or phone number that’s different from the one that you gave that company.
  • A link appears to be legitimate but takes you to a website whose URL doesn’t match the address of the company’s website. Just because the page may look genuine, doesn’t mean it is. Bogus webpages often contain links to banks/building societies, or display fields and boxes requesting your personal information such as passwords, credit card or bank account details. You should be aware that fraudsters sometimes include genuine links to company web pages in their emails, this is to try and make their emails appear genuine.
  • The message starts with a generic greeting, like “Dear valued customer” — most legitimate companies will include your name in their messages to you.
  • The message looks significantly different from other messages that you’ve received from the company.
  • The message requests personal information, like a credit card number or account password.
  • The message is unsolicited and contains an attachment.
  • The phone call is unsolicited and the caller claims to be an employee of the company but is asking you for your details.
  • Fraudsters often ask for immediate action. Be wary of emails containing phrases like ‘you only have 3 days to reply’ or ‘urgent action required’.


HMRC phishing scams

HMRC has been a real target of scammers in recent years, and even some of the most tech-savvy business owners have been caught out by the increasingly-sophisticated emails. Some simple rules to remember when receiving communication from HMRC are that they will never:   

  • Notify you of a tax rebate
  • Offer you a repayment
  • Ask you to disclose personal information such as your full address, postcode, Unique Taxpayer Reference (UTR) or details of your bank account
  • Give a non HMRC personal email address to send a response to
  • Ask for financial information such as specific figures or tax computations, unless you’ve given HMRC prior consent and you’ve formally accepted the risks
  • Have attachments, unless you’ve given prior consent and you’ve formally accepted the risks
  • Provide a link to a secure log-in page or a form asking for information – HMRC will always ask you to log on to your online account to check for information


Some examples of the latest HMRC scams

Spotting Genuine HMRC Emails

To help you spot the real from the fake – here is a list of the genuine HMRC emails and text messages that are being sent out currently or in the near future. You should view full details of these texts/emails here on HMRC’s website.

  • VAT Flat Rate Scheme
  • Calls to Self Assessment Online users
  • Overseas entities selling e-services into the UK
  • Tax credits calls to self-employed claimants
  • VAT EU emails
  • Emails to overseas businesses selling goods in the UK through online marketplaces
  • Tax-Free Childcare communications
  • Communications to childcare providers
  • Communications to parents taking part in the childcare service trial
  • Trade statistics import/export data emails
  • Educational emails
  • Debt management text messages
  • Voice prompts to landline and mobile phones
  • VAT Returns – email reminders
  • VAT registration – email
  • VAT debts – email reminders
  • Research communications
  • Employer email alerts – Employer Bulletin 65
  • Statutory notices requesting information

Keeping yourself safe online

To help stay safe online, you can follow the below best practice tips that we have collated:

  • Never provide personal account information by email or text message, and use extreme caution when clicking links in messages or sharing information over the phone. Instead, visit the company’s website directly or call them yourself.
  • Don’t click any link in or reply to an email or text without verifying the sender. Instead, go to the company’s website, find their contact information, and contact them directly about the issue.
  • Don’t click any link or button on a website without making sure that the address (URL) of the company’s website appears to be correct.
  • Don’t open or save attachments from unknown senders. If you receive an attachment that you weren’t expecting, contact the company to verify the contents.
  • If you’re not sure about the source of a browser pop-up window, avoid clicking any links or buttons in the window.
  • Always confirm the caller’s identity before you provide any sensitive information over the phone. If you get an unsolicited call from someone claiming to be from a company, hang up and contact the company directly.
  • Look out for a sender’s email address that is similar to, but not the same as the company’s email addresses. For example, fraudsters often have email accounts with HMRC or revenue names in them (such as ‘’). These email addresses are used to mislead you. If you’re not 100% sure that the message has come from the company you are dealing with, don’t open it. If you do open the email and you’re in doubt don’t click on any links or downloads.

If you receive an email from HMRC or any other business/association that you are unsure of, then please do not hesitate to contact your TTR Barnes account manager. We will endeavor to keep our clients updated on all of the latest phishing scams targeting HMRC/Companies House and other, relevant organisations.

Some further examples of phishing and bogus emails 

Here are some of the latest phishing scams out there as of May 2017. They are from find more details by clicking on the links.

Chartered Accountants in Sunderland, offering expertise on everything from Tax and Business Planning,
to Accounts and VAT.