Courtesy navigation

Blog posts tagged phishing

Good news: you're due a tax refound (sic) from HMRC

March 03, 2014 by John McGarvey

HMRC scam email{{}}

The scam email from my inbox

One morning recently, I opened my inbox to a piece of good news. Apparently, I'd paid too much tax over the last couple of years, and so HMRC wanted to give me a refund.

Well, according to the email's subject line, actually they were going to send me a 'refound'. But that's a mistake anyone can make, right?

HMRC email scams are on the rise

As you've probably guessed, this email was a poor attempt to scam me. It's a classic piece of phishing, where scammers send out official-looking messages to thousands (or millions) of email addresses in the hope that a few people will click a link in the email.

Different scams operate in different ways, but typically the criminals either want you to provide sensitive information like your bank details, or are trying to infect your computer with malware via a dodgy website.

Fake HMRC emails do tend to peak each year around the self-assessment deadline in January, but this year it seems there's been a significant rise. As the messages are continuing to flow, it's wise to stay on your guard.

How to spot an HRMC scam

Many of these HMRC phishing attempts are laughable, with ridiculous typos like 'refound'. A good spam filter or security software that checks your email should filter out most of them.

However, a few scam messages will always find their way into your inbox. And it's these you need to be careful of. Anyone can be fooled if they open a fake email at the wrong moment — like while they're very busy or distracted.

There's a lot of good guidance on HMRC's own website about how to spot scams and what to do. But here are some of the most important points to remember:

  • Scam messages can cover all sorts of topics, from payroll returns to messages promising rebates and refunds.
  • Be wary of messages that contain misspellings, typos and images that don't load properly.
  • Often, phishing emails have a sense of urgency, asking you to act immediately or face serious consequences.
  • HMRC never sends information about tax rebates by email. Nor does it request personal or payment details by email.
  • Be careful of attachments, especially .zip files. These could well infect your computer when you open them.
  • Don't click links in an email if you have any doubts. It's best to navigate directly to the HMRC website or give them a quick call, instead. 

Finally, before you follow a link in an email from HMRC, or reply to the message, take a moment to think. Is there anything strange about the message? Does it ring true?

It's always better to be overcautious when faced with a dubious message. If you're in any doubt at all as to its origins, just delete it.

Tagged phishing, hmrc | 0 comments

Three ways to stay safe from the phisher-men

July 29, 2013 by IT Donut contributor

Fisherman{{}}

We said PHISHING, not fishing.

In 2013, most of us are now aware of the online threat known as 'phishing', where cyber criminals use various techniques to gain access to your email or social media accounts or, worse, get hold of your bank account or credit card details.

However, you might not realise that phishing has evolved. Criminals now use increasingly sophisticated con tricks and scare tactics to dupe unsuspecting victims into handing over their sensitive data.

These days, phishing emails are less likely to come from fictitious foreign royalty and more likely to come from one of your social media connections or a trusted business contact – at least, that’s who the email will appear to come from

In reality, the sender will be a skilled confidence trickster prepared to spend time and effort slowly reeling you in.

Last year, the German Federal Court ruled that where people had fallen for phishing scams that appeared to originate from their banks, the victims were responsible for the losses, rather than the banks. This ruling may set an international precedent, which means protecting yourself against phishing could become even more important.

Here are my top three tips to avoid being hooked:

IT deals

See the latest business tech bargains we've found online.

Tech bargains >>

Or buy IT equipment now from these trusted suppliers:

1. Slow down and don’t panic

A common technique among phishing emails is to try to panic you into a kneejerk reaction.

For example, you may receive an official-looking email telling you that one of your online accounts has been compromised and urging you to update your password via a link provided.

Or you might be told your computer has a virus and that you need to download a new piece of software to repair it.

Don’t bite – these are very likely to be phishing scams.

Most reputable companies will never send emails asking for sensitive information such usernames, passwords, National Insurance numbers, bank or credit card details.

In the digital age, we’ve become accustomed to doing things quickly, often in a couple of clicks. A key to avoiding phishing is to slow things down.

If you receive an email that alarms you for any reason, treat it as highly suspicious and, above all, don’t click any links it contains.

2. Go direct

Many phishing emails link to spoof websites that are practically identical to the real sites they are trying to mimic, such as your bank.

Some of these sites will collect your login information and then do nothing (alerting you to a problem) but others will link you back to the genuine site, covering their tracks.

If you receive an email containing a link, hover over it without clicking to reveal the web address that it will take you to.

If it contains long strings of numbers or looks different from the usual web address of the sender (e.g. if ‘Twitter’ is spelled ‘Tvvittler’), it’s dodgy. Note the address, then contact the company involved directly to find out if the email is genuine or not.

However, be aware it's not always easy to spot dubious links. It's always safer to type in the correct website address manually, then sign in yourself.

3. Don’t be over-social

The rise of social networking has been a gift to cyber criminals. Most social network users willingly share masses of personal information on their public profiles. This often includes the names of spouses and children or family birthdays.

Unfortunately, the same people often use this information as the basis of their passwords. Scammers can also use this information to impersonate a trusted contact via an online message or email.

If you use social media, check your account settings to ensure your personal information can only be viewed by those in your network or, better still, be sensible about the information you post in the first place.

Also, never use the same password on multiple online accounts. Use a strong, unique password for each, protecting against a domino-effect where one account after another is hacked using the same password

Norman Begg works for online security company my1login.

Tagged security, phishing | 0 comments
Syndicate content