VAT fraud – Avoid getting caught out by phishing attacks

Scammers are increasingly targeting VAT-registered businesses with phishing attacks.

Warnings have been issued by a number of organisations, and taxpayers are being encouraged to check requests carefully.

To help you avoid becoming a victim of these fraudsters, here is what you need to know to avoid getting caught out.

Phishing and VAT fraud

Phishing is when cyber criminals send fraudulent emails or text messages containing links to malicious websites.

These websites often trick users into revealing sensitive information (such as passwords) or encourage taxpayers to transfer money.

They can also contain malware that sabotages systems and organisations or ransomware, which holds sensitive information or systems ransom in return for a fee.

For example, scammers are manipulating and submitting form VAT 484 to HM Revenue & Customs (HMRC) to change legitimate bank details to theirs.

Once a repayment return is processed and verified by HMRC, funds are directed to the fraudsters’ accounts instead of the legitimate ones.

Many businesses are currently being targeted by these methods as they submit their regular VAT report to HMRC and make payments.

While they can be hard to identify, there are recurring scams that target both individual finances and businesses.

The most common ones include:

• Texts or calls offering HMRC tax refunds
• Email scams about tax rebates
• Automated phone call scams that claim HMRC is filing a lawsuit.

Never disclose personal or financial information about you or your business to people or websites claiming to be HMRC – unless you are 100 per cent sure that you are speaking to the tax authority.

HMRC will only ever email you about a tax rebate or ask for personal or payment information from an email address that ends in hmrc.gov.uk.

To find out more about how you can prevent yourself from falling victim to an HMRC scam, please visit the tax authority’s dedicated advice page.

How to prevent phishing attacks

It is difficult to mitigate against all phishing attacks. However, there are steps you can take to protect your organisation as much as possible.

The National Cyber Security Council (NCSC) recommends a four-layer defence system:

• Make it difficult for attackers to reach your users.
• Help users identify and report suspected phishing messages.
• Protect your organisation from the effects of undetected phishing emails.
• Respond quickly to incidents.

You can implement these four layers of defence by:

• Using secure, encrypted connections for business transactions and HMRC communications.
• Conducting regular phishing awareness training for all employees.
• Implementing multi-factor authentication for access to sensitive accounts.
• Reporting suspicious emails to HMRC (phishing@hmrc.gov.uk) to help fight phishing scams.

If you are unsure whether a communication from HMRC is legitimate or not, please seek advice from our team at the earliest opportunity.

For more information, please get in touch.