Scammers are increasingly targeting VAT registered business with phishing attacks.
The attacks are made on emails purporting to come from HMRC and they look increasingly plausible, so please think twice before clicking on any links.
Remember to check the address of the email’s sender. If this is not from a government department then it’s almost certain that the email is a phishing attack.
HMRC often send messages in respect of VAT via a business’s Online Account. So where you are unsure of an emails authenticity, check whether a similar message has also been sent to the business’s online account.
Suspicious emails can be reported to HMRC (phishing@hmrc.gov.uk). This will help HMRC to fight phishing scams – they will also be able to tell a business whether an email is a scam or not.
Phishing and VAT Registered Businesses
Phishing is when cyber criminals send fraudulent emails or text messages containing links to malicious websites.
These attacks often trick users into revealing sensitive information (such as passwords) or encourage taxpayers to transfer money.
They can also contain malware that sabotages systems and organisations or ransomware, which holds sensitive information or systems ransom in return for a fee.
In the past phishing attacks have included communications purporting to be from HMRC in respect of tax refunds/ rebates and even threats in respect of law suits.
However, the current VAT version sees an email alerting the business that:
“A compliance check is being conducted on your VAT return”
VAT registered businesses will be aware that HMRC often check the accuracy of VAT returns.
This happens particularly in instances where a business is seeking to recover VAT. The more sophisticated attacks will therefore recognise the type of businesses that will make such claims, with the result that the business will almost be expecting some form of communication from HMRC.
However, HMRC will then usually request the permission of the business to communicate with it via email rather than seeking for a business to click on a link.
General advice on preventing phishing attacks
HMRC provide some information on preventing businesses falling foul of scams on an advice page here.
It is also the case that good cyber practice can limit the chance of phishing attacks. This can include ensuring that secure encrypted connections are used, that passwords are strong (where possible multi-factor authentication is used), and staff are provided with regular training in respect of phishing activities.
Where a business has fallen for a phishing attack then swift action is recommended to change passwords. Where account numbers have been disclosed then the bank should be informed immediately.
If you are unsure whether a communication from HMRC is legitimate or not, please seek advice from our team at the earliest opportunity.
For more information, please get in touch.