Students targeted by massive HMRC email scam
Scammers are telling students across the UK that they're entitled to a tax refund.
HM Revenue and Customs (HMRC) has revealed that 1,000s of university students have received fake tax refund emails which are a cover to steal their personal banking details.
HMRC, which is responsible for the collection of taxes in the UK, has received 1,000s of reports of fraud in just a few weeks. The organisation believes this is the first scam to target students directly in such a high volume.
It’s not like students haven’t been hit by cyber scams before – but such huge victim numbers reflect how fraud is on the rise, and that the criminals behind them are increasingly able to work around security measures.
The facts clearly show an increase in incidents. Between April and September this year, HMRC ordered for 7,500 phishing sites to be deactivated – that's compared with 5,200 during the same period in 2017.
But while scammers get smarter, you can protect yourself by being fully clued up about fraud techniques, what to look out for and what to avoid.
How did the scam work?
Fraudsters are clever. They tend to use as many disguises as possible to avoid detection and look like a legit form of communication that you might receive on an ordinary day.
In this instance, the scammers used seemingly legitimate university email addresses, like @uc.ac.uk, to make it look as though the message was coming from the institution where the student was studying.
You probably get emails from your uni every day, so why would you suspect anything was up when yet another one drops into your inbox?
The criminals then sent a message informing the recipient that they were entitled to a tax refund. Crucially, they usually copied the branding of gov.uk sites, as well as well-known credit cards, with the hope of looking as realistic as possible.
Students who clicked the link were taken to a page where they were asked to enter their bank details, which the scammers used to then steal money from them.
Pauline Smith, director of Action Fraud, told The Guardian:
Devious fraudsters will try every trick in the book to convince victims to hand over their personal information, often with devastating consequences.
It is vital that students spot the signs of fraudulent emails to avoid falling victim by following HMRC’s advice.
Which students should be wary?
The number of students who have reported being affected by this scam runs well into the 1,000s, and they come from universities around the country.
HMRC is calling on a select few universities to raise awareness of this type of scamming, possibly because more students were impacted from those institutions in this specific attack.
They included:
- Aberdeen
- Bristol
- Cambridge
- Durham
- Imperial College London
- King’s College London
- Manchester Metropolitan
- Newcastle
- Nottingham
- Plymouth
- Queen Mary, London
- Queen's, Belfast
- Southampton
- Sussex
- University College London
- Warwick
While these institutions were given specific warnings, this doesn't take away from the fact that every student should be warned about the dangers of scams, and that you should learn how to avoid becoming a victim yourself.
It is not currently known exactly how many students were impacted by this attack and how much was lost, though HMRC currently believes many victims haven't reported the scam and that the true number of affected students is larger than the current estimates.
How could this scam have been prevented?
There are steps that both universities and individuals can take to avoid being the victim of a scam like this one.
What can universities do?
Ms Smith, of Action Fraud, added:
HMRC is encouraging all universities to raise awareness of scams and many have already begun taking action to warn their students of the risks.
As we said, scams targeting students are not a new phenomenon, and so it's important that universities help educate their students about the types of scams that could be out there.
You might think that students are one of the least likely groups to be affected by cyber scams, as they're largely more confident and capable with technology.
But in reality, being a victim of a scam like this is nothing to do with how tech savvy you are.
And as most students may be very new to managing money and having their own bank accounts, as well as being unfamiliar with something like a tax refund, being good with computers is almost irrelevant.
It's all about knowing when and how you'll be contacted about your personal finances, and what details you will and won't be asked for by legitimate sources – as this infamously creepy advert highlights.
What can you do?
If you are clued up about what to look out for, you’ll never give over the information scammers need.
Mel Stride, financial secretary to the Treasury, told The Guardian:
HMRC will never inform you about tax refunds by email, text, or voicemail. If you receive one of these messages it is a scam.
Do not click any links in these messages and forward them to HMRC’s phishing email address [[email protected]].
Although HMRC is cracking down hard on internet scams, criminals will stop at nothing to steal personal information. I’d encourage all students to become phishing aware – it could save you a lot of money.
How to avoid being scammed
Remembering UPDATE is a great first step to avoiding becoming the victim of online fraud or scams.
UPDATE is an acronym that net safety specialist Marc Goodman invented, and stands for:
- Update regularly
- Passwords – don’t reuse them
- Download from authorised sources
- ‘Administrator’ should not be your default setting
- Turn off when you’re done
- Encrypt to keep your stuff unreadable.
It is also a good idea to know the forms a scam can take.
We identified 14 common money scams to look out for. These include phishing, where the criminal essentially ‘phishes’ for your personal finance details online, and the related trend of ‘smishing’. Although it sounds harmless, it’s a serious crime and is basically phishing but via text messaging (or SMS, hence ‘smishing’).
You should also be wary of fake websites, ticket and competition scams, and even dodgy cash machines that may hold a hidden camera trying to capture what your pin number is.
Have you received one of the fake HMRC emails? Let us know in the comments!