Making Tax Digital is only a few months away, and with many businesses switching to online accounting systems before the deadline, it’s no surprise that scammers have been targeting MTD compliant software. In the past few months we’ve received fake emails which look very similar to genuine ones sent by Xero, Receipt Bank, Quickbooks, Sage and HMRC.
Clicking the links in these emails can infect your phone or computer with malware and potentially expose your personal data to hackers. And if you enter any details after clicking the links – such as bank account numbers or usernames and passwords – the consequences can be even worse!
How can I tell whether an email is a scam?
The first thing to do is check the sender’s email address, particularly the part after the @ sign. This is known as the domain, and if it doesn’t match the website of the organisation the email claims to be from, then the email is probably a scam. See the example below.
Be careful: not all false domains are as obvious as the one above. Sometimes they look very similar to websites of genuine organisations, with just one letter different or a dash in the middle.
If the sender’s address looks genuine, does that mean the email is genuine?
Not necessarily. The email could still be a scam. For this reason, you should also preview any links in the email before clicking on them. Being careful not to click, hover the mouse cursor over the link. The link address should appear in the bottom of your email program or browser window. If it looks suspicious – if it’s for a website that has nothing to do with the organisation the email claims to be from – don’t click on it!
If you’re on a phone or tablet, you may be unable to preview the link. In this case, it’s best to check it on a PC or Mac if possible.
NB Canny scammers can send messages through your own website’s contact form, which can seem to have come from an email address within your own business. This is another reason to always preview links before clicking on them.
I’m still suspicious about an email. What should I do?
If you still have doubts, forward the email to your accountant. They should be able to check and let you know whether it’s genuine.
Woohoo! I’ve received a text about a tax refund from HMRC! But wait… is it genuine?
It’s tempting to believe any promise of money. But HMRC will never contact you about a tax refund by text or email. You’ll always get a letter. So if you receive an email or text from “HMRC” containing a link or instructions to claim a tax refund, it’s a scam. If you think you genuinely are due a refund, contact your accountant.
Help! I think I’ve clicked on a link in a scam email! What should I do?
If you clicked a link and entered any bank details, you should call your bank immediately and inform them.
If you clicked a link and entered login details for a particular website, you should visit that website directly and change your password. If possible, use a different computer or phone from the one you clicked the link on. If you use the same password for any other sites (and let’s face it, most of us do!) you should change your password for those sites too.
If you clicked the link on a PC, it’s also worth running a virus scan with Windows Defender or Malwarebytes.
What else can I do to keep my accounting systems secure?
Many websites, including Xero, offer two-step authentication. This means that after entering your username and password, you’ll be asked to enter a code before you’re given access to your account. The code will be sent to you by text or through a mobile app, such as Google Authenticator. Enabling two-step authentication means that even if a hacker did get hold of your username and password, they wouldn’t be able to access your account without also getting the code from your phone.
Other than that, you should use passwords that include a mixture of uppercase and lowercase letters, numbers and symbols, and which don’t contain any recognisable words. And if you see anything suspicious, or anything that seems to good to be true, contact your accountant.
Got a question about scam emails? Confused about Making Tax Digital? Feel free to contact us.