Millions ‘bombarded with fake HMRC phishing emails’

Fraudsters are targeting millions of people completing their tax returns online this month with phishing emails that claim to be from HMRC.

Forty per cent of the estimated 10 million UK citizens completing their self-assessment tax forms online ahead of the HMRC's end of January deadline have received fake emails pretending to be from the tax office, according to a survey by digital authentication vendor MIRACL.

But, while a fifth of the 1,000 respondents told the company that they or someone they know has been a victim of identity fraud, only 14 per cent said they were concerned about using online government services.

Brian Spector, CEO at MIRACL, said: "The volume of data involved in filling out a tax return online makes [fraud] a far greater risk. With all the financial data involved in a tax return, a criminal could potentially take out a mortgage in your name. Data theft and identity fraud is a multi-billion dollar business on the dark web, and so consumers must be vigilant."

The findings come just two weeks after HMRC issued a warning to those filing their tax returns this month, telling them to be wary of scam emails sent by criminals hoping to get their hands on people's personal data.

Describing itself as "one of the most phished brands in the world", the tax office said: "Cyber criminals are likely to use the approaching 31 January deadline for Self Assessment as a cover for their scams.

"HMRC takes online security extremely seriously, but it also needs customers to play their part."

Its director of security and information, Jonathan Lloyd White, added: "We are committed to customers' online security, but the methods that fraudsters use to get information are constantly changing so people need to be alert. When using our online services I would urge all our customers to be vigilant, and remember that HMRC will never send an email to ask for your personal information or password, or include a link or attachment."

An email from HMRC will not ask for any personal or financial information, including a user's address, nor will it include any email attachments, links, or repayment offers.