Credit: Rakesh Pandit/Pixahive

HM Revenue and Customs has warned the public to be on the lookout for fraudsters operating on social media.

The department has published new guidance reminding citizens of the importance of protecting their account information – and warning that social networks have become a popular with scammers seeking to “trick or persuade people into sharing their personal or login details” for the tax agency’s Government Gateway online login service.

“They use these details to apply for fraudulent tax repayments from HMRC,” the department added. “They hide their own identity, which means the person whose details they’ve used will owe money to HMRC. Their social media posts often advertise that they are ‘risk free’. They may also send direct messages to you through social media.”

Anyone who does unwittingly share their details with a fraudster is warned that they “will be at risk of having to pay back the full tax debt created… in your name”. 

The guidance said: “Your bank account may be frozen, and fraudsters may post or sell your personal details online for anyone to use.”

Consequently, users are advised not to share their HMRC login details with anyone – including tax agents operating on their behalf.

Related content

• HMRC issues fraud warning after taking down 10,000 websites in a year
• HMRC told to step up Covid fraud recovery work
• HMRC scam website crackdown ‘saves public £2.4m’

Anyone who sees an advert or post on a social platform that asks for the provision of login information, National Insurance numbers, or any other personal details is asked to tell HMRC via the online service for reporting tax fraud. Social media fraud should be reported via a separate service to that which is used for flagging suspicious emails, texts, or phone calls.

The guidance also outlines measures taken by HMRC to protect online interactions with the department, which includes automatically logging out users after 15 minutes of inactivity, and providing information on the time and date of the previous login, so users can spot any unexplained access to their account.

HMRC also encrypts data sent and received by the department via its digital services.

“If someone was able to externally view your connection to HMRC, they would be unable to interpret the data sent,” it said.

The department also protects most online accounts with multi-factor authentication technology – a process which, after a user has entered their login details, requires the additional provision of a one-off code that can be sent via text or voice message.

“If you use text messages or voice calls for multi-factor authentication, and you receive login codes from HMRC when you are not trying to log in, it may mean someone has your login details,” the guidance said. “If this happens, it would be sensible to change your password.”